TREND MICRO INC. PolKit, or PolicyKit, is a component that handles system-wide policies and authorizations in Unix and Unix-like operating systems (OS), allowing non-privileged processes to communicate with privileged ones. PolKit's pkexec comes bundled in major Linux distributions, a tool generally used to execute commands with elevated privileges (root capabilities). The component also enables an authorized user to execute programs as another user (generally 'root'). The function is synonymous to 'runas' in Windows.
Security researchers disclosed PwnKit as a memory corruption vulnerability in polkit's pkexec, assigned with the ID CVE-2021-4034 (rated High at 7.8). The gap allows a low-privileged user to escalate privileges to the root of the host. Various proofs of concept have been disclosed, written in different languages (such as severalinC, Python, Bash, and Go), and the vulnerability has been there for over 12 years, affecting all versions of the pkexec since its first distribution in 2009.
These make the security gap "an attacker's dream come true " and a vulnerability that needs to be fixed as soon as possible: Any unprivileged local user can abuse this to get full root privileges and exploit the gap even if the polkit daemon itself is not running. Attackers can reintroduce environment variables in the context of the 'pkexec' binary, leading to a controlled execution of an attacker-controlled shared library and gaining code execution with 'root' privileges. Security teams are advised to patch this as soon as possible, or to apply temporary mitigation steps while updating their respective systems. This blog discusses how Trend Micro™ Vision One™ and Trend Micro™ Cloud One™ can be used to detect the abuse of the said vulnerability.
Trend Micro Cloud One™ - Workload Security
Using the platform of Trend Micro Cloud One - Workload Security, the following modules can be used to detect the abuse of CVE-2021-4034:
1. Activity Monitoring: This module can detect process, file, and network activities on endpoints running Cloud One Workload Security. In this case, we will look into the process and file activities since there is no network component to this attack scenario.
2. Anti-malware: This module provides protection against the exploitation of this vulnerability in real time using behavior monitoring.
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Trend Micro Inc. published this content on 11 February 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 11 February 2022 14:27:05 UTC.
