How a 12-Year-Old Linux Polkit Flaw (CVE-2021-4034) Grants Unlimited Root Access

For Linux users, the root account holds the highest privileges, allowing actions ordinary users cannot perform. This Tuesday, the root user received bad news—a 12‑year‑old flaw in the Polkit system tool enables attackers to obtain unrestricted root privileges on most machines running major open‑source operating systems.

Polkit, formerly PolicyKit, manages system‑wide permissions on Unix‑like OSes, providing a mechanism for non‑privileged processes to interact securely with privileged ones. It also lets users run high‑privilege commands via the SUID‑root program pkexec, installed on every major Linux distribution.

Qualys researchers discovered the dormant flaw last November, naming it PwnKit. After patches were applied to most Linux distributions, the vulnerability was disclosed this Tuesday. PwnKit is tracked as CVE‑2021‑4034 with a critical CVSS score of 7.8, found in Polkit’s pkexec functionality.

Long‑standing Vulnerability

Like most operating systems, Linux implements a hierarchical permission model to control when applications or users can interact with sensitive system resources, aiming to limit damage if an untrusted user gains network control or an application is compromised.

Researchers found that since 2009 pkexec contains a memory‑corruption bug. In a report on Tuesday they developed a proof‑of‑concept exploit that achieved full root access on default installations of CentOS, Debian, Fedora, and Ubuntu, and they believe other distributions may also be vulnerable.

An attacker with limited control over a vulnerable machine can use the flaw to elevate privileges to root. The exploit is trivial and reportedly 100 % reliable; if an attacker already controls a vulnerable host, they can run malicious payloads with full system rights. The vulnerability can be leveraged even when the Polkit daemon itself is not running.

Exploitation in the Wild Is Inevitable

Qualys Threat Research Director Bharat Jogi wrote that the most likely scenario involves an insider who can upgrade from no privileges to full root. From an external perspective, a hacker who establishes foothold via other vulnerabilities or credential leaks could also use this bug to gain root. The exploit requires local authentication on the target; without it, remote execution is impossible. Qualys has not released PoC code for fear it would aid attackers, though another source has published it. SANS penetration tester Bojan Zdrnja warned that the vulnerability will soon be publicly exploited, especially on multi‑user systems that allow shell access. He successfully reproduced the exploit on Ubuntu 20.04.

Similar Vulnerabilities Exist

Qualys researchers are not the first to discover this issue; similar vulnerabilities have been reported before. In 2013, researcher Ryan Mallon disclosed an almost identical Polkit flaw and even provided a patch, though he could not find a reliable exploit. In June of last year, GitHub security researcher Kevin Backhouse reported a privilege‑escalation bug tracked as CVE‑2021‑3560, which was also patched by major Linux vendors.

Mallon’s response: “Funny, I wrote a blog about this Polkit vulnerability back in 2013. I couldn’t find a practical exploit, but I did identify the root cause.”

Experts Urge Immediate Patching

Major Linux distributions have released patches for the vulnerability, and security experts strongly advise administrators to apply them promptly. Users unable to patch immediately should remove the SUID bit from /usr/bin/pkexec (chmod 0755 /usr/bin/pkexec) to prevent it from running as root when invoked by non‑privileged users. Recommendations from Debian, Ubuntu, and Red Hat are provided.

If you want to verify whether the vulnerability has been exploited on your system, check logs for entries such as “no SHELL variable found in /etc/shells” or environment variables containing suspicious content. Qualys notes that PwnKit can also be leveraged without leaving traces.

Reference links:

https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

https://threatpost.com/linux-bug-in-all-major-distros-an-attackers-dream-come-true/177996/