Blog

CVEs

Protecting against CVE-2021-4034 Polkit Vulnerability

Protecting against CVE-2021-4034 Polkit Vulnerability


Introduction

Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged

processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed.

It is a memory corruption vulnerability. In case you are wondering what memory corruption is when a program's memory is modified by an attacker in a way that was not intended by the original program. This modification can lead to serious security vulnerabilities, including allowing an attacker to leak sensitive information or execute arbitrary code. polkit’s pkexec, a SUID-root program that allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.To know more check out the CVE-2021-4034

Vulnerability Analysis

The vulnerability is based on shell access in different distros. By just executing an exploit code, we can get shell access in a matter of seconds. Once the attacker gets the shell access then the attacker can able to explore the entire system. Exploiting this vulnerability does require local user access (Example: ubuntu user). But the ease with which even an inexperienced attacker can exploit it is cause for the heightened security level. Users can also manually install the packages in the terminal. ( apt-get install policykit-1)

Here an attacker would need to be logged into the affected system or be able to execute commands on the affected system remotely. The affected binary is pkexec (usually /usr/bin/pkexec) which is “setuid” meaning that when someone runs pkexec, linux will execute the pkexec binary as the user that owns the file. In this case, if the pkexec on root user binary, which is the problem, because the root user can do everything.

Let us see how this vulnerability can be protected using AccuKnox Opensource tools.

Environment Setup

We are going to showcase the vulnerability using an Ubuntu docker image deployed to a Kubernetes cluster. To deploy the ubuntu pod in your k8s Cluster,you can use the below YAML or use the deployment file from accuknox/samples github repository.

YAML file to deploy Ubuntu in k8s

 

NOTE: [Pod name may vary.]

To verify the polkit version we’ll execute inside the pod using the following commands:

Save the exploit code as a *.c file, in this scenario we’ll use the name cve-2021-4034. We'll look at the output of the id command before we perform the exploit.

As you can see, test is a non-root user who does not have root rights. As a result, the test user will only have limited permissions and will be unable to access or alter programs and configuration files that root users can because root users have full access to all files and programmes. The fact that uid and gid both have 1000 indicates that they are new user accounts.

This is the exploit code that invokes pkexec . Here if you run pkexec, it runs as root instead of your own account, and any subprogram you can force it to run will inherit superuser capabilities. This means that any user with access to your system, even if they're logged in as a non root user, may theoretically use pkexec to promote themselves to user ID 0: the root, or superuser, account.
Now compile & run the exploit code using gcc. To view the exploit and deployment files check the  accuknox-samples

We can able to gain root access. You can check below.

KubeArmor Security Policy

Now the AccuKnox is playing a vital role here. To check out more about the work we do click the following AccuKnox . Kubearmor will secure the cloud workloads and kubernetes. To know more checkout the following KubeArmor

To install KubeArmor follow the Deployment Guide
Once the KubeArmor installation is done, execute the below command in your terminal.

After applying the policy, execute into the ubuntu pod and run the script file.

NOTE: Now we can’t able to execute the above script file(exploit.c) because (kubearmor) policy is applied.

To check for logs. copy and paste the following commands in your terminal.

According to the logs, KubeArmor was able to successfully block the vulnerable binary from being executed and generate real-time alerts.

KubeArmor helps you create alerts for any unauthorized modification in your workloads.

Generating a zero-trust profile with Auto Policy Generation Tool.

The auto policy tool will generate policies based on the workloads your running.

Here we will install the Daemonsets and Services. Just copy and paste the following in your terminal.

root@kubearmor: curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash

 

In our case, the script file generated seven cilium policy and 2 kubeArmor security policy.

Conclusion

We've shown how simple it is to run a script file (exploit.c) and get root access in order to gather information from the victim machine. Information from several organizations can be exploited and used against them. An organization will suffer a loss as a result of this.

KubeArmor, a cloud run-time security technology developed by AccuKnox, was used to secure the incident. We have solutions for every threat in your cloud environment and virtual machine. Check out the links below to learn more about AccuKnox and its products.

KubeArmor website: https://www.accuknox.com/kubearmor/

KubeArmor GitHub: https://github.com/kubearmor/KubeArmor

KubeArmor Slack: https://kubearmor.herokuapp.com/

Office Hour: Polkit-vulnerability-video

You will find the policy and the deployment files here Deployment-files


Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Read more blogs from Cloud Security Category here.