A trivially exploitable vulnerability has been disclosed in Polkit, a component installed by default on many Linux distributions. Successful exploits of this vulnerability would grant an attacker full root privileges on the host. Most devices in the Extended Internet of Things (XIoT) are likely affected.
The vulnerability, which Qualys has named PwnKit (CVE-2021-4034) has been in Polkit—once known as PolicyKit—for more than a decade. Polkit manages system-wide privileges on Linux operating systems and oversees how non-privileged processes communicate with privileged ones.
This memory-corruption issue likely impacts most devices in the XIoT, including industrial OT, enterprise IoT, and medical IoT equipment. PwnKit is a local privilege escalation vulnerability, meaning that an attacker would already need to have access to a vulnerable host in order to exploit the vulnerability.
Users who manage any Linux devices should determine their exposure and patch immediately. Qualys said it sent patches to affected distributions on Jan. 11; If a patch is not yet available for a particular Linux distribution, Qualys suggests as a mitigation that users remove the SUID-bit from Polkit's pkexec function.
In its advisory, Qualys said it was able to trigger the vulnerability in Polkit's pkexec function and gain root access on default installations of Ubuntu, Debian, Fedora, and CentOS. It's likely that other distributions are vulnerable, and exploitable.
Team82 has confirmed it was able to trigger the vulnerability, see the video below.
Qualys said it is unaware of public exploits. Qualys did not publish its proof-of-concept exploit because of the ease of exploitation involved with attacking this vulnerability. Others, however, have already reverse-engineered the bug and published PoCs online, indicating that more malicious exploits may not be far behind.
Users can find artifacts of exploits in logs, but Qualys cautions that the vulnerability may be quietly exploited as well.
"This exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found in the /etc/shells file" or "The value for environment variable […] contains suspicious content")," Qualys said in its advisory. "However, please note that this vulnerability is also exploitable without leaving any traces in the logs."
The disclosure of PwnKit is going to further inflame discussions about the security of open source software. Recently, the White House gathered tech leaders to discuss the issue in the context of the Log4j vulnerability in Apache. Log4j is a logging framework native to Apache that was ubiquitous across IT and operational technology environments. Multiple vulnerabilities and exploits surfaced post-disclosure, and the Biden administration expressed concern over the use of open source components in software used in critical infrastructure.
The issue when vulnerabilities such as PwnKit and Log4j arise is that users may be blind to these components running inside commercial or homegrown applications, so they may not understand their exposure when critical vulnerabilities are disclosed.
The Biden administration, last year in an Executive Order signed in May of last year, mandated that the federal government take steps to beef up the security of the software supply chain. The EO was in reaction to the SolarWinds compromise of late 2020, which demonstrated the fragility of the supply chain and reinforced the need for secure software development practices and oversight of products used by the federal government and within critical infrastructure.
One critical component of the EO was the need for a software bill of materials (SBOM) to be made available for each product used by the federal government. SBOMs describe the software components used in the development of a commercial product.
The availability of such a list would remove the mystery as to whether components such as Polkit, Log4j and others are running under the covers. Asset owners and IT administrators responsible for vulnerability management would immediately understand their exposure and be able to prioritize patching and other mitigations.
CWE-35 Path Traversal:
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
CWE-522 Insufficiently Protected Credentials:
011209 Intercom does not properly store or protect web server admin credentials.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'):
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CyberData recommends users update to v22.0.1
CVSS v3: 5.3
CWE-306 Missing Authentication for Critical Function:
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-288 Authentication Bypass Using an Alternate Path or Channel:
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
