Find Linux Systems Vulnerable to Polkit With Axonius

By now you may have heard that researchers at Qualys identified a 12-year old memory corruption vulnerability in Polkit, a program installed by default on almost every Linux distribution. Polkit allows non-privileged users to communicate with privileged processes in a secure way. It also allows users to run highly privileged commands via a component called pkexec.

Only, there’s one problem: The long-standing flaw, dubbed PwnKit, can be abused by malicious users who have (or gain) local, unprivileged access to the system. This could theoretically lead to the delivery of a malicious payload or account takeover on millions of users and machines, if an attacker is highly motivated.

However the good news is that this vulnerability is not remotely exploitable (i.e., an attack requires local privileges. It’s not remotely exploitable like Log4Shell, for instance). Further, it is entirely patchable. Caveat: We at Axonius understand that patching is not “simple.” There are many factors which affect an organization’s decision to patch, to not patch, or to prioritize certain patches over others. 

Another potentially frustrating factor is that enterprises need to obtain a patch from their Linux distributor. Unlike single system or single vendor vulnerabilities with patches, the open source aspect of Polkit makes a coordinated response across systems challenging. Reportedly, all the major Linux distributors have released patches. In addition, researchers say that, whether or not a patch is available yet for your distro, administrators can run the chmod 0755 /usr/bin/pkexec  command to prevent pkexec from running as root in any instance other than that commended by a privileged user.

Seem straightforward enough? It should. While PwnKit is garnering a lot of media attention, security and operations’ teams’ realities include the constant search for and remediation of cyber vulnerabilities — and this is just one more vulnerability, one without any known active exploit to date, and one that would take a high degree of local privilege to execute. This is not a new class of vulnerability and the world is not on fire. Though PwnKit should be attended to if it’s present in your assets, finding and fixing the vulnerability should be fairly straightforward and should not consume your security team’s world for days or weeks to come

Handling Complexity With Practicality

When a vulnerability like PwnKit is spread across media, it’s easy to get overwhelmed. Below, we provide a streamlined way for Axonius customers to easily and comprehensively identify Linux distros in their environment so they can make risk-based decisions on patching and/or remediation efforts. Security and IT teams can control complexity through process-oriented security fundamentals, starting with identifying affected assets and their resident security gaps. 

To begin, login to your Axonius platform and navigate to the Devices tab and click into the Query Wizard to begin a new query.

Run the following query. 

You are looking for:

• Linux OS devices
• Where installed software equals policykit-1 (the former name of Polkit)
• OR where vulnerable software includes the CVE ID: CVE-2021-4034

This query will fetch all devices associated with the Polkit vulnerability. Changing the query parameter “equals” in lines three and five to “contains” renders the same result.

To ensure you are covering all your naming-convention bases, you could run a second query to search for “Polkit,” the abbreviated  name of the program:

This returns slightly different results, and allows for a possibility of a different naming convention in your asset environment, but still provides a manageable list of devices to triage. 

Once Axonius has fetched devices associated with the Polkit vulnerability, you can use the Axonius Enforcement center and Actions to mitigate consequences of the vulnerability. 

Some predefined actions you can take immediately include:

• Notify device owners or administrators
• Create an incident
• Isolate a device
• Deploy files and run commands (such as a Linux Shell command or SSH scan)

And, of course, you can use the results of your query to install the proper patch at the proper time for your organization. 

Though much of the news around this latest CVE focuses on the extreme number of machines that could be exploited using this vulnerability, we’ve yet to see CVE-2021-4034 exploited in the wild (we’re also waiting to see more severe damage to corporate systems from the so-called blockbuster vulnerability, Log4Shell). Instead of adding to the frenzy, we advise our clients to take a more pragmatic approach to finding and fixing vulnerabilities: Start with visibility, then move to mitigation. 

To control complexity, you can’t get lost in the chaos. And that’s what we strive to simplify for our clients.

To learn more about how Axonius helps you control chaos or find PwnKit in your environment, take a free spin on our platform or contact our team to schedule a demo today.