CVE-2021-4034
📋 TL;DR
CVE-2021-4034 (PwnKit) is a local privilege escalation vulnerability in polkit's pkexec utility that allows unprivileged local users to gain root privileges by exploiting improper argument handling. This affects all Linux systems with polkit installed, which is present by default on most modern Linux distributions. The vulnerability is particularly dangerous because it's easy to exploit and requires no user interaction.
💻 Affected Systems
- polkit
- pkexec
📦 What is this software?
Command Center by Starwindsoftware
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Big Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Big Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Scientific Computing by Redhat
View all CVEs affecting Enterprise Linux For Scientific Computing →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Linux Enterprise High Performance Computing by Suse
View all CVEs affecting Linux Enterprise High Performance Computing →
Linux Enterprise Workstation Extension by Suse
View all CVEs affecting Linux Enterprise Workstation Extension →
Polkit by Polkit Project
Starwind Virtual San by Starwindsoftware
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where any local user (including low-privileged service accounts) can gain root privileges and execute arbitrary code with full system control.
Likely Case
Local privilege escalation leading to administrative access, data theft, persistence establishment, and lateral movement within the environment.
If Mitigated
Limited impact if proper access controls, least privilege principles, and monitoring are in place to detect privilege escalation attempts.
🎯 Exploit Status
Multiple public proof-of-concept exploits are available. Exploitation requires local access but no authentication beyond having a user account. The exploit is simple and reliable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: polkit 0.121 and later
Vendor Advisory: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
Restart Required: No
Instructions:
1. Update polkit package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update polkit'. 3. For Ubuntu/Debian: 'apt update && apt upgrade polkit'. 4. Verify the update installed polkit version 0.121 or higher.
🔧 Temporary Workarounds
Remove SUID bit from pkexec
linuxRemoves the setuid permission from pkexec, preventing privilege escalation but breaking legitimate pkexec functionality
chmod 0755 /usr/bin/pkexec
Temporary mitigation via chmod 0
linuxCompletely disables pkexec by removing execute permissions
chmod 0 /usr/bin/pkexec
🧯 If You Can't Patch
- Implement strict access controls and limit local user accounts
- Monitor for privilege escalation attempts and pkexec usage in logs
🔍 How to Verify
Check if Vulnerable:
Check polkit version: 'pkexec --version' or 'rpm -q polkit' or 'dpkg -l policykit-1'. If version is 0.120 or earlier, system is vulnerable.Check Version:
pkexec --version 2>/dev/null || rpm -q polkit 2>/dev/null || dpkg -l policykit-1 2>/dev/null | grep ^iiVerify Fix Applied:
Verify polkit version is 0.121 or higher: 'pkexec --version' should show 0.121+. Test with known exploit PoC to confirm failure.📡 Detection & Monitoring
Log Indicators:
- Unusual pkexec invocations
- Failed privilege escalation attempts
- Process execution with unexpected parent-child relationships
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
process.name:"pkexec" AND user.name!="root" AND process.parent.name NOT IN ("sudo", "su", "systemd", "login")🔗 References
- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
- https://bugzilla.redhat.com/show_bug.cgi?id=2025869
- https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
- https://www.starwindsoftware.com/security/sw-20220818-0001/
- https://www.suse.com/support/kb/doc/?id=000020564
- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
- https://bugzilla.redhat.com/show_bug.cgi?id=2025869
- https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
- https://www.starwindsoftware.com/security/sw-20220818-0001/
- https://www.suse.com/support/kb/doc/?id=000020564
- https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034
