‘PwnKit’ vulnerability exploited in the wild: How Red Hat responded

Ravie Lakshmanan's recent article CISA warns of active exploitation of 'PwnKit' Linux vulnerability in the wild articulates the vulnerability in Polkit (CVE-2021-4034) and recommends “to mitigate any potential risk of exposure to cyberattacks… that organizations prioritize timely remediation of the issues," while "federal civilian executive branch agencies, however, are required to mandatorily patch the flaws by July 18, 2022.” 

You might be asking: What is this vulnerability, and what has Red Hat done to address this concern for customers? 

What is the PwnKit vulnerability?

The vulnerability was discovered by Qualys in January 2022 and given the identifier CVE-2021-4034. Polkit, formerly known as PolicyKit, is a toolkit for controlling systemwide privileges in Unix-like operating systems, including all Linux distributions. The toolkit provides a mechanism for non-privileged processes to communicate with privileged processes. This allows an authorized user to execute commands as another user using appropriate local-privilege elevation in Polkit’s pkexec utility. The flaw's exploitation would grant an unprivileged attacker administrative rights on the target machine, compromising the host. 

The vulnerability is known as PwnKit.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerability Catalog on June 27, 2022, with a resolution date of July 18, 2022. The CVSS v3 score for this vulnerability is 7.8, earning a high severity rating. 

How Red Hat responded to CVE-2021-4034

Red Hat Product Security issued errata for CVE-2021-4034 in January 2022 and February 2022. All the affected platforms and packages supported by Red Hat were fixed as of February 7, 2022, well in advance of the July 18, 2022, deadline set by CISA. In addition, Product Security quickly issued a mitigation procedure for customers who could not update their software immediately.  

How Red Hat monitors exploited vulnerabilities in the wild

Red Hat’s Product Security team actively tracks active exploits reported by CISA against components shipped in the Red Hat portfolio. When CISA reports an exploit in the wild, Red Hat’s Product Security team checks the current status of our portfolio regarding the impact of the exploitable vulnerability. All vulnerabilities are fixed in accordance with our life-cycle policies. If the vulnerability has not yet been fixed according to the policy (for example, if the vulnerability was not rated Critical or Important), Product Security will fast-track a fix. 

Product’s Security awareness and visibility into reported exploits allow us to be proactive in the ever-changing threat landscape to fix vulnerabilities that truly matter. This allows Red Hat to continue to be a trusted vendor and partner to our customers.

References

• Qualys security advisory for CVE-2021-4034

• CISA Known Exploited Vulnerability Catalog

• CISA warns of active exploitation of 'PwnKit' Linux vulnerability in the wild

Learn more

• Red Hat Product Security Overview

• Red Hat Product Security Center

• Red Hat Blog Channel: Security