CyRC Vulnerability Analysis: Local privilege escalation vulnerability discovered

2022-1-27 11:0:29 Author: www.synopsys.com 阅读量:69 收藏

Posted by on Wednesday, January 26, 2022

Learn more about CVE-2021-4034, a newly discovered vulnerability in PolKit software used in major Linux distributions.

TSK6016.png

CVE-2021-4034

Another critical open source vulnerability has been discovered. This time it’s in a popular component used in major Linux distributions and some UNIX-like operating systems, so it has the potential to impact software development organizations far and wide. PolKit, which provides methods for nonprivileged processes to interact with privileged ones, has been assigned CVE-2021-4034 and dubbed “PwnKit.”

What are the implications?

CVE-2021-4034 has the potential to grant even inexperienced actors an easy way to access a multitude of systems and use administrative privileges. By chaining memory corruption in pkexec and a few other weaknesses in the software, unprivileged local users can gain full root privileges and then move through the vulnerable host’s network to steal sensitive data and lay the groundwork for additional attacks with increased stealth, persistence, and capability.

Exploiting this vulnerability does require a threat actor to already have local access, because the vulnerable components don’t, for instance, listen for external traffic. But the ease with which even an inexperienced attacker can exploit it is cause for the heightened security level.

In addition, security researchers have already independently verified the vulnerability. They were able to develop an exploit that gave them full root privileges, providing confirmation that this bug is easily exploitable across a range of different targets.

What should you do?

While we wait for the NVD to publish its scoring on CVE-2021-4034, Synopsys has already issued a Black Duck® Security Advisory, BDSA-2022-0246, and assigned it a CVSS score of 7.8. 
The 7.8 rating makes it a “high-severity” vulnerability, meaning you should take action right away. Luckily, there is a patch already available for this vulnerability, and you should immediately upgrade your systems to the latest version. There is also a workaround that functions as a stop-gap while you evaluate your systems and perform necessary patches and upgrades.

How Synopsys can help

The news of this vulnerability comes as we’re still picking up the pieces from the Log4j vulnerability disclosed in December, so it serves as a stark reminder of the frequency with which open source vulnerabilities can surface. Vulnerabilities such as these often necessitate a significant overhaul, but organizations with consistent visibility into the software that powers their business can spend less time on exposure evaluation and more time on remediation. This is what makes a continuously updated software Bill of Materials (SBOM) the key to getting and staying ahead of attackers when the next open source vulnerability is found.

Synopsys Black Duck software composition analysis (SCA) offers multifactor open source scanning technology that ensures you have the most complete and accurate view of the open source in your applications.

Armed with your comprehensive SBOM, Black Duck Security Advisories (BDSAs) provide an added layer of protection, with same-day notification of newly reported vulnerabilities. In the case of PolKit, Black Duck customers are busy working on remediation, while at the time of this blog, NVD data remains a gap.

Learn more about how Synopsys can help