On January 25, 2022, Bharat Jogi; Director, Vulnerability and Threat Research at Qualys; announced in his blog that Qualys’s research team had discovered “a local privilege escalation vulnerability in polkit’s pkexec (CVE-2021-4034).” This “easily exploited [memory corruption] vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.”
The vulnerability affects “default installations of Ubuntu, Debian, Fedora, CentOS,” and other Linux distributions. Mr. Jogi writes that “this vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.”
So, this is a major threat.
Of course, the vulnerability had (according to arsTECHNICA) already been patched in most Linux distributions before Qualys made the announcement. But troubling questions remain:
- How many more unknown vulnerabilities are out there?
- Are they unknown to cybercriminals?
- How can we protect our businesses from these unknown threats?
CipherTrust Transparent Encryption protects our customers’ data, including from privilege escalation vulnerabilities, such as Polkit. Unauthorized users are denied access, and denied attempts are logged and can be streamed to a SIEM. CipherTrust Transparent Encryption can recognize an authenticated user even after the user uses pkexec to run a program as another user. The solution will treat a user as fake when the pkexec-run program tries to access protected data.
CipherTrust Transparent Encryption CTE), working along with CipherTrust Manager (CM), is dedicated to protect customer data from this kind of privilege escalation attacks. CTE encrypts the protected data under the guard points (directories of local or network file systems, disk volumes, or AWS S3 buckets), and limits the access by applying guarding policies. A policy can define only authorized users to have full access to a guard point while other users’ accesses are denied and audited. Because CTE hardens system user authentication, CTE can recognize the original authenticated user even after the user elevates the privilege by using SUID binaries. CTE access control thus can block this kind of attacks on protected data.
The following demo will show how CTE protects user or system data from the PwnKit attack.
A test machine is running RHEL7.7 with default configuration:
A guard point /gp is guarded to be accessed by only root user
Now we explore the pkexec vulnerability, and raise the local user privilege as root. Although the root user under this context can access system resources, but it is not allowed to access the files under the guard point:
CTE not only protects user and system data from this PwnKit attack, it is also effective to protect from other privilege escalation attacks.
For more information on how to implement and maintain encryption with minimal impact, read our CipherTrust Transparent Encryption – Product Brief.
The post Protecting your data against the PolKit memory corruption vulnerability and other unknown vulnerabilities first appeared on Data Protection Support.