Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks.
The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions.
PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years.
The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034.
Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult.
CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.
Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces.
In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.
CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.