CINXE.COM
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog
<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <!-- Pingdom Real User Monitoring --> <script> var _prum = [['id', '56a14edeabe53deb7ff24334'], ['mark', 'firstbyte', (new Date()).getTime()]]; (function() { var s = document.getElementsByTagName('script')[0] , p = document.createElement('script'); p.async = 'async'; p.src = '//rum-static.pingdom.net/prum.min.js'; s.parentNode.insertBefore(p, s); })(); </script> <!-- End Pingdom Real User Monitoring --> <title>PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog</title> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublicFunctions = {"_ajax_nonce":"ccbd956b34","_rest_nonce":"e3ed0ffadd","_ajax_url":"\/wp-admin\/admin-ajax.php","_rest_url":"https:\/\/blog.qualys.com\/wp-json\/","data__cookies_type":"none","data__ajax_type":"admin_ajax","text__wait_for_decoding":"Decoding the contact data, let us a few seconds to finish. Anti-Spam by CleanTalk","cookiePrefix":"","wprocket_detected":false,"host_url":"blog.qualys.com"} </script> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublic = {"_ajax_nonce":"ccbd956b34","settings__forms__check_internal":"0","settings__forms__check_external":"1","settings__forms__search_test":"1","settings__data__bot_detector_enabled":"1","blog_home":"https:\/\/blog.qualys.com\/","pixel__setting":"3","pixel__enabled":false,"pixel__url":"https:\/\/moderate6-v4.cleantalk.org\/pixel\/cf06eaaa1bb92178505e0df2f4c58791.gif","data__email_check_before_post":"1","data__email_check_exist_post":0,"data__cookies_type":"none","data__key_is_ok":true,"data__visible_fields_required":true,"wl_brandname":"Anti-Spam by CleanTalk","wl_brandname_short":"CleanTalk","ct_checkjs_key":1078298717,"emailEncoderPassKey":"54a9b9cff5cddcef9d75950a4dac1409","bot_detector_forms_excluded":"W10=","advancedCacheExists":false,"varnishCacheExists":false,"wc_ajax_add_to_cart":false} </script> <!-- The SEO Framework by Sybre Waaijer --> <link rel="canonical" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" /> <meta name="description" content="The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major…" /> <meta property="og:type" content="article" /> <meta property="og:locale" content="en_US" /> <meta property="og:site_name" content="Qualys Security Blog" /> <meta property="og:title" content="PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog" /> <meta property="og:description" content="The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution." /> <meta property="og:url" content="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" /> <meta property="og:image" content="https://ik.imagekit.io/qualys/emails/pwnkit-twitter_tsK5u-ACr.png?ik-sdk-version=javascript-1.4.3&updatedAt=1643149580450&tr=w-1200%2Ch-675%2Cfo-auto" /> <meta property="article:published_time" content="2022-01-25T17:36:43+00:00" /> <meta property="article:modified_time" content="2022-12-22T07:09:13+00:00" /> <meta property="article:publisher" content="https://www.facebook.com/qualys" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@qualys" /> <meta name="twitter:title" content="PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog" /> <meta name="twitter:description" content="The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution." /> <meta name="twitter:image" content="https://ik.imagekit.io/qualys/emails/pwnkit-twitter_tsK5u-ACr.png?ik-sdk-version=javascript-1.4.3&updatedAt=1643149580450&tr=w-1200%2Ch-675%2Cfo-auto" /> <script type="application/ld+json">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://blog.qualys.com/#/schema/WebSite","url":"https://blog.qualys.com/","name":"Qualys Security Blog","alternateName":"Qualys, Inc.","description":"Expert network security guidance and news","inLanguage":"en-US","potentialAction":{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blog.qualys.com/search/{search_term_string}"},"query-input":"required name=search_term_string"},"publisher":{"@type":"Organization","@id":"https://blog.qualys.com/#/schema/Organization","name":"Qualys, Inc.","url":"https://blog.qualys.com/","sameAs":["https://www.facebook.com/qualys","https://twitter.com/qualys","https://www.youtube.com/user/QualysGuard","https://www.linkedin.com/company/qualys"],"logo":{"@type":"ImageObject","url":"https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys.png","contentUrl":"https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys.png","width":512,"height":512}}},{"@type":"WebPage","@id":"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034","url":"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034","name":"PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog","description":"The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major…","inLanguage":"en-US","isPartOf":{"@id":"https://blog.qualys.com/#/schema/WebSite"},"breadcrumb":{"@type":"BreadcrumbList","@id":"https://blog.qualys.com/#/schema/BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":"https://blog.qualys.com/","name":"Qualys Security Blog"},{"@type":"ListItem","position":2,"item":"https://blog.qualys.com/category/vulnerabilities-threat-research","name":"Category: Vulnerabilities and Threat Research"},{"@type":"ListItem","position":3,"name":"PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)"}]},"potentialAction":{"@type":"ReadAction","target":"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034"},"datePublished":"2022-01-25T17:36:43+00:00","dateModified":"2022-12-22T07:09:13+00:00","author":{"@type":"Person","@id":"https://blog.qualys.com/#/schema/Person/9496d1a66eb4d9d841b4b7bfa82eb414","name":"Bharat Jogi","description":"Senior Director, Threat Research Unit..."}}]}</script> <!-- / The SEO Framework by Sybre Waaijer | 12.67ms meta | 0.88ms boot --> <link rel='dns-prefetch' href='//moderate.cleantalk.org' /> <link rel='dns-prefetch' href='//cdnjs.cloudflare.com' /> <link rel='dns-prefetch' href='//www.google.com' /> <link rel='dns-prefetch' href='//static.cloud.coveo.com' /> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='dns-prefetch' href='//v0.wordpress.com' /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » Feed" href="https://blog.qualys.com/feed" /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » Comments Feed" href="https://blog.qualys.com/comments/feed" /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) Comments Feed" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/feed" /> <link rel='stylesheet' id='jetpack_related-posts-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/related-posts/related-posts.css?ver=20240116' media='all' /> <link rel='stylesheet' id='wp-block-library-css' href='https://ik.imagekit.io/qualys/wp-includes/css/dist/block-library/style.min.css?ver=6.7.1' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css?ver=4.2.17' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=6.7.1' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='ct_public_css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/cleantalk-spam-protect/css/cleantalk-public.min.css?ver=6.45.2' media='all' /> <link rel='stylesheet' id='ct_email_decoder_css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/cleantalk-spam-protect/css/cleantalk-email-decoder.min.css?ver=6.45.2' media='all' /> <link rel='stylesheet' id='community-shared-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared.css?ver=1.0.3' media='all' /> <link rel='stylesheet' id='community-shared-30em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-30em.css?ver=1.0.3' media='screen and (min-width: 30em)' /> <link rel='stylesheet' id='community-shared-60em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-60em.css?ver=1.0.3' media='screen and (min-width: 60em)' /> <link rel='stylesheet' id='qualys2020-style-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style.css?ver=1.0.3' media='all' /> <link rel='stylesheet' id='qualys2020-highlightjs-dark-css' href='https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/styles/a11y-dark.min.css?ver=6.7.1' media='all' /> <link rel='stylesheet' id='coveo-css' href='https://static.cloud.coveo.com/searchui/v2.10085/2/css/CoveoFullSearch.min.css?ver=6.7.1' media='all' integrity='sha512-SvJKQ8/gNL2d8gVWx23GajIUPZAK+F83AI2pXl+pV0X3BfK6R3uBpEHo8CDv1YuIFzfvfs6znp77Amaj3te0xQ==' crossorigin='anonymous' /> <link rel='stylesheet' id='fancybox-styles-css' href='https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.css?ver=6.7.1' media='all' /> <script id="jetpack_related-posts-js-extra"> var related_posts_js_options = {"post_heading":"h4"}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/related-posts/related-posts.min.js?ver=20240116" id="jetpack_related-posts-js"></script> <script data-pagespeed-no-defer src="https://ik.imagekit.io/qualys/wp-content/plugins/cleantalk-spam-protect/js/apbct-public-bundle.min.js?ver=6.45.2" id="ct_public_functions-js"></script> <script src="https://moderate.cleantalk.org/ct-bot-detector-wrapper.js?ver=6.45.2" id="ct_bot_detector-js"></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/codemirror/codemirror.min.js?ver=5.29.1-alpha-ee20357" id="wp-codemirror-js"></script> <link rel="https://api.w.org/" href="https://blog.qualys.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://blog.qualys.com/wp-json/wp/v2/posts/29243" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.qualys.com/xmlrpc.php?rsd" /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034&format=xml" /> <style>img#wpstats{display:none}</style> <link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-150x150.png" sizes="32x32" /> <link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" /> <meta name="msapplication-TileImage" content="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" /> <style id="wp-custom-css"> .custom-testimonial-block { background: #1D2737; padding: 60px 40px; display: flex; align-items: flex-start; flex-direction: column; } .custom-testimonial-block .wp-block-media-text__media { align-self: flex-start; max-width: 200px; margin: 0 0 40px; } .custom-testimonial-block .wp-block-media-text__content { direction: inherit; padding: 0 0; font-style: italic; font-weight: 500; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote { padding: 0 0 0 40px; margin: 0; position: relative; color: #FFF; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote::before { content: ""; position: absolute; left: 0; top: 0; width: 36px; height: 27px; background: url(https://ik.imagekit.io/qualys/image/quote-marks-red.svg) left top no-repeat transparent; display: block; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote cite { font-family: Gotham, sans-serif; font-style: normal; font-size: 16px; display: block; line-height: 1.45; color: #FFF; } .custom-testimonial-block .wp-block-media-text__content p { color: #FFF; font-weight: 600; font-style: italic; } @media (min-width: 600px) { .custom-testimonial-block { flex-direction: row; } .custom-testimonial-block .wp-block-media-text__media { max-width: unset; margin: 0; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote { margin: 0 0 0 20px; padding: 0 40px; } } </style> <!-- Google Tag Manager --> <script> if (!window.location.search.match(/[?&;]dnt=1([;&]|$)/)) { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-W7DWPS'); } </script> <!-- End Google Tag Manager --> </head> <body class="post-template-default single single-post postid-29243 single-format-standard"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div class="q-header__background"> <header class="q-header site-header" id="masthead"> <div class="q-header__container"> <div class="q-hamberger-menu"> <div class="q-hamburger-menu__icon"> <svg width="23" height="23" viewBox="0 0 23 23" version="1.1" xmlns="http://www.w3.org/2000/svg"> <g fill="currentColor"> <rect id="Rectangle1" x="0" y="5" width="23" height="3" rx="1.5"></rect> <rect id="Rectangle2" x="0" y="10" width="23" height="3" rx="1.5"></rect> <rect id="Rectangle3" x="0" y="15" width="23" height="3" rx="1.5"></rect> </g> </svg> </div> <div class="q-hamburger-menu__container"> <ul id="primary-menu" class="q-header__nav"><li id="menu-item-26462" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-26462 q-navigation__item"><a href="https://success.qualys.com/discussions/s/">Discussions</a> <ul class="sub-menu q-header__nav-sub"> <li id="menu-item-26463" class="q-header__nav-back menu-item menu-item-type-custom menu-item-object-custom menu-item-26463 q-navigation__item"><a href="#back">Back to main menu</a></li> <li id="menu-item-26464" class="q-browser-by-topic menu-item menu-item-type-custom menu-item-object-custom menu-item-26464 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/">BROWSE BY TOPIC</a><span class="menu-item-description">BROWSE BY TOPIC</span></li> <li id="menu-item-26465" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26465 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRIWA4/asset-management">Global IT Asset Management</a></li> <li id="menu-item-26466" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26466 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRwWAO/it-security">IT Security</a></li> <li id="menu-item-26467" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26467 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIS1WAO/compliance">Compliance</a></li> <li id="menu-item-26468" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26468 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRnWAO/cloud-container">Cloud & Container Security</a></li> <li id="menu-item-26469" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26469 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HISCWA4/web-app-security">Web App Security</a></li> <li id="menu-item-26470" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26470 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRfWAO/certificate-security">Certificate Security & SSL Labs</a></li> <li id="menu-item-26471" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26471 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIR8WAO/developer">Developer API</a></li> <li id="menu-item-26562" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26562 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRAWA4/qualys-cloud-platform">Cloud Platform</a></li> <li id="menu-item-26472" class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow menu-item menu-item-type-custom menu-item-object-custom menu-item-26472 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/#start-a-discussion">Start a discussion</a></li> </ul> </li> <li id="menu-item-26473" class="q-header_blog-link menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26473 q-navigation__item"><a href="https://blog.qualys.com/">Blog</a></li> <li id="menu-item-26474" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26474 q-navigation__item"><a href="https://www.qualys.com/training/">Training</a></li> <li id="menu-item-26475" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26475 q-navigation__item"><a href="https://www.qualys.com/documentation/">Docs</a></li> <li id="menu-item-26476" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26476 q-navigation__item"><a href="https://success.qualys.com/customersupport/">Support</a></li> <li id="menu-item-35252" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-35252 q-navigation__item"><a href="https://success.qualys.com/support/s/standards">Trust</a></li> <li class="q-header__nav-underline"></li></ul> </div> </div> <a class="q-header__logo q-header__logo-community" href="https://community.qualys.com/" title="Qualys Community"> <span class="q-logo-shield"> <svg width="111" height="35" alt="Qualys" class="q-logo__horizontal" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 933.884 293.111"><path d="M123.073 0c80.158 0 120.462 42.888 120.462 42.888s4.608 31.746 1.667 95.667c-4.443 96.56-122.1 154.55-122.111 154.556s-117.666-57.996-122.11-154.556c-2.941-63.921 1.667-95.667 1.667-95.667s40.268-42.888 120.425-42.888z" fill="#ed2e26"/><path d="M394.178 75.824a70.586 70.586 0 0 0-70.506 70.506c0 23.533 9.89 44.5 28.6 60.641 17.522 15.113 42.649 25.532 71.66 30.36 4.149-2.279 11.994-9.969 14.492-15.236-21.375-3.687-31.178-7.346-31.178-7.346a40.676 40.676 0 0 0 8.23-1.652c28.556-8.009 49.489-36.214 49.208-66.766-.357-38.876-31.628-70.507-70.506-70.507zm0 120.714a50.208 50.208 0 1 1 50.209-50.208 50.265 50.265 0 0 1-50.209 50.208zM915.488 189.828a11.292 11.292 0 0 1 15.377 0 11.587 11.587 0 0 1 0 15.6 11.3 11.3 0 0 1-15.377 0 11.587 11.587 0 0 1 0-15.6zm1.556 14.095a8.969 8.969 0 0 0 12.264 0 9.539 9.539 0 0 0 0-12.609 9.025 9.025 0 0 0-12.264 0 9.544 9.544 0 0 0 0 12.609zm10.708-9.106a3.558 3.558 0 0 1-2.654 3.568l3.066 4.806h-2.381l-2.791-4.668h-1.418v4.668h-2.014v-11.9h4.393a3.924 3.924 0 0 1 2.747.963 3.3 3.3 0 0 1 1.052 2.562zm-6.178-1.65v3.479h2.106a2.06 2.06 0 0 0 1.44-.481 1.622 1.622 0 0 0 .526-1.258q0-1.738-1.966-1.739zM784.087 178.724l-23.814-63.187h-21.219l34.746 88.2s-15.371 36.539-15.365 36.536c10.113 0 21.176-.714 25.5-11.37 10.152-24.993 45.505-113.365 45.505-113.365h-21.221zM704.493 210.246s19.7-.365 19.7-13.729v-120.033h-19.7zM663.646 127.976c-5.485-7.649-16.2-15.073-31.971-15.073-26.92 0-47.221 20.937-47.221 48.7 0 12.977 4.437 25.036 12.494 33.955 8.715 9.649 20.724 14.748 34.727 14.748 13.567 0 25.184-5.534 31.971-15.014v14.951s19.7-.312 19.7-13.719v-80.99h-19.7zm-29.5 63.789c-11.908 0-29.72-7.947-30-29.839v-.157c0-17.288 12.754-30.325 29.666-30.325 12.633 0 22.9 6.6 27.487 17.711a27.268 27.268 0 0 1 2.509 12.733 32.62 32.62 0 0 1-3.023 12.869c-4.633 10.65-14.595 17.008-26.641 17.008zM548.568 166.874c0 15.9-8.26 24.745-23.244 24.891-15.2 0-22.587-8.627-22.587-26.373v-49.855h-19.695v53.806c0 7.767 1.309 18.842 7.548 27.506 6.375 8.854 16.452 13.382 29.945 13.459h.553c16.138 0 24.448-7.315 28.468-13v12.934s18.707-.319 18.707-13.062v-81.643h-19.7zM876.661 152.965c-10.235-4.424-17.676-8.25-17.545-14.185.087-3.927 5.259-7.687 10.637-7.5 5.756.2 10.023 4.168 12.4 7.344 0 0 10.76-9.2 12.062-10.183a30.164 30.164 0 0 0-25.661-14.657 27.317 27.317 0 0 0-28.054 26.48c-.285 12.937 7.292 18.276 17.23 23.913l16.357 9.2c3.774 2.639 5.554 4.609 5.464 8.669-.14 6.362-5.461 10.486-12.352 10.893-5.069.3-9.232-2.631-13.176-6.759-7.677-8.034-19.46-4.172-23.065-3.01 7.5 17.24 21.68 27.279 35.849 27.591 17.844.393 32.118-12.777 32.5-29.983.174-8.286-3.456-18.578-22.646-27.813z" fill="#262626"/><path d="M62.924 126.929c0-34.142 26.991-61.918 60.167-61.918a60.285 60.285 0 0 1 60.217 60.217c0 26.507-22.786 48.316-40.348 59.523 6.813 3.887 21.849 7.969 36.245 9.289a86.906 86.906 0 0 0 33.843-68.811 89.957 89.957 0 1 0-179.913 0c0 29.958 12.474 56.571 36.072 76.964 22.063 19.065 54.336 31.791 91.081 37.816 7.96-4.4 21.576-17.387 26.681-24.99-30.688-3.947-59.732-11.431-79.2-21.645-29.757-15.609-44.845-37.964-44.845-66.445z" fill="#fff"/></svg> </span> <span class="q-logo-text">Community</span> </a> <div class="q-user-menu"> <div class="q-user-menu__icon hidden"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="19" height="23"> <g fill="currentColor"> <g transform="translate(3 -.093)"> <path d="M6.284.092a5.709 5.709 0 1 1-.002 11.418A5.709 5.709 0 0 1 6.284.092"></path> </g> <g transform="translate(0 11.907)"> <path d="M.187 7.575C-.476 9.195.703 11 2.47 11h13.922c1.767 0 2.946-1.804 2.283-3.425C16.945 3.45 13.445.65 9.431.65c-4.015 0-7.55 2.8-9.244 6.925"></path> </g> </g> </svg> </div> </div> </div> </header><!-- #masthead --> </div> <div class="q-search__container"> <div class="q-search"> <div id="searchbox"> <div class="q-coveo__wrapper"> <div class="q-coveo-searchbutton"> <div class="CoveoSearchButton"></div> </div> <div class="q-coveo-querybox"> <div class="CoveoOmnibox" data-enable-query-suggest-addon="true"></div> </div> </div> </div> </div> </div> <div id="page" class="q-main_content"> <div class='q-home-header__sidebar q-blog__home-link'> <div class='q-blog__home-link-wrapper'> <div class="q-menu__home-container"><ul id="menu-blog-home" class="menu"><a href='/'> <img class='link-arrow' src='https://d1uyme8f6ss6qi.cloudfront.net/image/icon/link-arrow-left.svg' width='7' height='10'> <span>Blog Home</span> </a></li> </ul></div> </div> </div> <div class="q-main_content-container"> <main id="primary" class="site-main q-single__post-content"> <article id="post-29243" class="post-29243 post type-post status-publish format-standard hentry category-vulnerabilities-threat-research tag-pwnkit"> <header class="entry-header"> <h1 class="q-blog__post-title">PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)</h1> <div class="q-post__entry-header-outerwrapper"> <div class="q-post__entry-header-wrapper"> <div class="q-post__entry-header"> <div class="q-post__entry-avatar"> <img src='https://secure.gravatar.com/avatar/b23b99e61d4ce29240012f2740ad1801?s=110&d=mm&r=g' width='54' alt='Bharat Jogi' /> </div> <div class="entry-meta q-post__entry-meta"> <div class="q-post__entry-author"> <span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/bharat_jogi">Bharat Jogi</a></span>, Senior Director, Threat Research Unit, Qualys</span> </div> <div class="q-post__entry-time"> <span class="posted-on"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" rel="bookmark"><time class="entry-date published" datetime="2022-01-25T09:36:43-08:00">January 25, 2022</time><time class="updated" datetime="2022-12-21T23:09:13-08:00">December 21, 2022</time></a></span> - 9 min read </div> </div> </div> <div class="q-post__entry-vote"> <div class='likebutton likebutton_json' data-postid='29243' data-style='style1'></div> </div> </div> </div> <p class='q-last-modified-date'><strong>Last updated on:</strong> <em>December 21, 2022</em></p> </header> <div class="entry-content q-single__post-wrapper q-has-toc"> <div class="q-single__post--toc"><div class="toc"><h4>Table of Contents</h4><ul><li><a href='#about-polkit-pkexec-for-linux'>About Polkit pkexec for Linux</a></li><li><a href='#potential-impact-of-pwnkit-vulnerability'>Potential Impact of PwnKit Vulnerability</a></li><li><a href='#vulnerability-disclosure-timeline'>Vulnerability Disclosure Timeline</a></li><li><a href='#proof-of-concept-video-of-pwnkit-exploit'>Proof of Concept Video of PwnKit Exploit</a></li><li><a href='#pwnkit-scan-video'>PwnKit Scan Video</a></li><li><a href='#technical-details-of-pwnkit-vulnerability'>Technical Details of PwnKit Vulnerability</a></li><li><a href='#solution-how-to-patch-the-pwnkit-vulnerability'>Solution: How to Patch the PwnKit Vulnerability</a></li><li><a href='#about-polkit-pkexec-for-linux'>About Polkit pkexec for Linux</a></li><li><a href='#discover-vulnerable-linux-servers-using-qualys-vmdr'>Discover Vulnerable Linux Servers Using Qualys VMDR</a></li><li><a href='#patch-with-qualys-vmdr'>Patch With Qualys VMDR</a></li><li><a href='#leverage-qualys-xdr-identifying-exploit-attempts'>Leverage Qualys XDR Identifying Exploit Attempts</a></li><li><a href='#vendor-references'>Vendor References</a></li><li><a href='#frequently-asked-questions-faqs'>Frequently Asked Questions (FAQs)</a></li></ul></div></div> <div class="q-single__post--content"> <figure class="wp-block-image size-full is-resized q-image-no-shadow"><img loading="lazy" decoding="async" data-attachment-id="29249" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/pwnkit" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit.png" data-orig-size="623,116" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="pwnkit" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit-300x56.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit.png" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit.png" alt="" class="wp-image-29249" width="318" height="60" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit.png 623w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/pwnkit-300x56.png 300w" sizes="auto, (max-width: 318px) 100vw, 318px" /></figure> <p>The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.</p> <div class="q-block__cta-wrapper"><div class="q-block__cta-container"><div class="q-block__cta-content"><div class="q-block__cta-icon"><img decoding="async" src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/image/app-icons/vmdr.svg" class="q-block__cta-icon--img" alt="Qualys VMDR" /></div><div class="q-block__cta-text"><h4 class="q-block__cta-label">Free Trial</h4><h3 class="q-block__cta-header">Fix the PwnKit Vulnerability with a Free Trial of Qualys</h3></div></div><div class="q-block__cta-action"><a href="https://www.qualys.com/forms/vmdr/" class="q-block__cta-btn"><span>Get the Free Trial</span></a></div></div></div> <h2 id="about-polkit-pkexec-for-linux" class="wp-block-heading">About Polkit pkexec for Linux</h2> <p>Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).</p> <h2 id="potential-impact-of-pwnkit-vulnerability" class="wp-block-heading">Potential Impact of PwnKit Vulnerability</h2> <p>Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).</p> <p>As soon as our Research Team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and has coordinated with both vendor and open-source distributions to announce the vulnerability.</p> <h2 id="vulnerability-disclosure-timeline" class="wp-block-heading">Vulnerability Disclosure Timeline</h2> <ul class="wp-block-list"> <li>2021-11-18: Advisory sent to secalert@redhat.</li> <li>2022-01-11: Advisory and patch sent to distros@openwall.</li> <li>2022-01-25: Coordinated Release Date (5:00 PM UTC).</li> </ul> <span id="more-29243"></span> <h2 id="proof-of-concept-video-of-pwnkit-exploit" class="wp-block-heading">Proof of Concept Video of PwnKit Exploit</h2> <p>View this video of a potential exploit path.</p> <figure class="wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper"> https://vimeo.com/669715589 </div></figure> <h2 id="pwnkit-scan-video" class="wp-block-heading">PwnKit Scan Video</h2> <p>View this video on how to get visibility of the PwnKit vulnerability using Qualys VMDR.</p> <figure class="wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper"> https://vimeo.com/670582239/a0b079b102 </div></figure> <h2 id="technical-details-of-pwnkit-vulnerability" class="wp-block-heading">Technical Details of PwnKit Vulnerability</h2> <p>What follows is an explanation of how the PwnKit vulnerability works.</p> <p>The beginning of pkexec’s main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed, if its path is not absolute, in the directories of the PATH environment variable (lines 610-640):</p> <pre><div class="q-code">------------------------------------------------------------------------ 435 main (int argc, char *argv[]) 436 { ... 534 for (n = 1; n < (guint) argc; n++) 535 { ... 568 } ... 610 path = g_strdup (argv[n]); ... 629 if (path[0] != '/') 630 { ... 632 s = g_find_program_in_path (path); ... 639 argv[n] = path = s; 640 } ------------------------------------------------------------------------ </div></pre> <p>Unfortunately, if the number of command-line arguments argc is 0 – which means if the argument list argv that we pass to execve() is empty, i.e. {NULL} – then argv[0] is NULL. This is the argument list’s terminator. Therefore:</p> <ul class="wp-block-list"> <li> at line 534, the integer n is permanently set to 1;</li> <li> at line 610, the pointer path is read out-of-bounds from argv[1];</li> <li> at line 639, the pointer s is written out-of-bounds to argv[1].</li> </ul> <p>But what exactly is read from and written to this out-of-bounds argv[1]?</p> <p>To answer this question, we must digress briefly. When we execve() a new program, the kernel copies our argument, environment strings, and pointers (argv and envp) to the end of the new program’s stack; for example:</p> <pre><div class="q-code">|---------+---------+-----+------------|---------+---------+-----+------------| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |----|----+----|----+-----+-----|------|----|----+----|----+-----+-----|------| V V V V V V "program" "-option" NULL "value" "PATH=name" NULL</div></pre> <p>Clearly, because the argv and envp pointers are contiguous in memory, if argc is 0, then the out-of-bounds argv[1] is actually envp[0], the pointer to our first environment variable, “value”. Consequently:</p> <ul class="wp-block-list"> <li> At line 610, the path of the program to be executed is read out-of-bounds from argv[1] (i.e. envp[0]), and points to “value”;</li> <li> At line 632, this path “value” is passed to g_find_program_in_path() (because “value” does not start with a slash, at line 629);</li> <li> Then, g_find_program_in_path() searches for an executable file named “value” in the directories of our PATH environment variable;</li> <li> If such an executable file is found, its full path is returned to pkexec’s main() function (at line 632);</li> <li> Finally, at line 639, this full path is written out-of-bounds to argv[1] (i.e. envp[0]), thus overwriting our first environment variable.</li> </ul> <p>So, stated more precisely:</p> <ul class="wp-block-list"> <li> If our PATH environment variable is “PATH=name”, and if the directory “name” exists (in the current working directory) and contains an executable file named “value”, then a pointer to the string “name/value” is written out-of-bounds to envp[0];</li> </ul> <p>OR</p> <ul class="wp-block-list"> <li> If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0].</li> </ul> <p>In other words, this out-of-bounds write allows us to re-introduce an “unsecure” environment variable (for example, LD_PRELOAD) into pkexec’s environment. These “unsecure” variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called. We will exploit this powerful primitive in the following section.</p> <p>Last-minute note: polkit also supports non-Linux operating systems such as Solaris and *BSD, but we have not investigated their exploitability. However, we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.</p> <h2 id="solution-how-to-patch-the-pwnkit-vulnerability" class="wp-block-heading">Solution: How to Patch the PwnKit Vulnerability</h2> <p>Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately.</p> <p>Current Qualys customers can search the vulnerability knowledgebase for CVE-2021-4034 to identify all the QIDs and assets vulnerable for this vulnerability.</p> <p>Other interested parties can start a free Qualys VMDR trial to get full access to the QIDs (detections) for CVE-2021-4034, where all vulnerable assets can be identified.</p> <p>The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.</p> <hr class="wp-block-separator has-css-opacity is-style-wide"/> <p class="has-text-align-center"><strong>Fix the PwnKit Vulnerability with a Free Trial of Qualys</strong></p> <div class="wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex"> <div class="wp-block-button is-style-fill" style="margin: 0 auto 1em;"><a class="wp-block-button__link has-white-color has-text-color has-background" href="https://www.qualys.com/forms/vmdr/" style="background-color:#ed2e26">Get the Free Trial</a></div> </div> <hr class="wp-block-separator has-css-opacity is-style-wide"/> <h2 id="about-polkit-pkexec-for-linux" class="wp-block-heading">About Polkit pkexec for Linux</h2> <h3 class="wp-block-heading">Qualys QID Coverage</h3> <p>Qualys is releasing the QIDs in the table below as they become available starting with vulnsigs version <meta charset="utf-8">VULNSIGS-2.5.387-2 and in Linux Cloud Agent manifest version lx_manifest-2.5.<meta charset="utf-8">387.2-1.</p> <figure class="wp-block-table is-style-stripes"><table><tbody><tr><td><strong>QID</strong></td><td><strong>Title</strong></td><td><strong>VulnSigs Version</strong></td></tr><tr><td>376287</td><td>Polkit pkexec Local Privilege Escalation Vulnerability (PwnKit)</td><td>VULNSIGS-2.5.387-2 / lx_manifest- VULNSIGS-2.5.387.2-1 </td></tr></tbody></table></figure> <h2 id="discover-vulnerable-linux-servers-using-qualys-vmdr" class="wp-block-heading">Discover Vulnerable Linux Servers Using Qualys VMDR</h2> <h3 class="wp-block-heading">Identify Assets Running Linux Kernel</h3> <p>The following instructs current Qualys customers on how to detect PwnKit in their environment.</p> <p>The first step in managing this critical vulnerability and reducing risk is the identification of all assets running Linux OS. <a href="https://www.qualys.com/apps/vulnerability-management-detection-response/">Qualys VMDR</a> makes it easy to identify such assets.</p> <p><em>Query: operatingSystem.category1:`Linux`</em></p> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam.jpg"><img loading="lazy" decoding="async" width="1420" height="797" data-attachment-id="29248" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/csam-3" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam.jpg" data-orig-size="1420,797" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="csam" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam-300x168.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam-1070x601.jpg" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam.jpg" alt="" class="wp-image-29248" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam.jpg 1420w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam-300x168.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam-1070x601.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/csam-768x431.jpg 768w" sizes="auto, (max-width: 1420px) 100vw, 1420px" /></a></figure> <p>Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say: “Linux Servers”. This helps by automatically grouping existing hosts with the above vulnerabilities as well as any new Linux assets that spin up in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the <a href="https://www.qualys.com/cloud-platform/">Qualys Cloud Platform</a>.</p> <h3 class="wp-block-heading">Prioritize Based on RTIs</h3> <p>Using Qualys VMDR, the PwnKit vulnerability can be prioritized using the following real-time threat indicators (RTIs):</p> <ul class="wp-block-list"> <li>Predicted_High_Risk</li> <li>Privilege_Escalation</li> <li>Easy_Exploit</li> <li>High_Lateral_Movement</li> </ul> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit.jpg"><img loading="lazy" decoding="async" width="2080" height="1300" data-attachment-id="29246" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/priotization-pwnkit" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit.jpg" data-orig-size="2080,1300" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Priotization-Pwnkit" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-300x188.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-1070x669.jpg" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit.jpg" alt="" class="wp-image-29246" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit.jpg 2080w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-300x188.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-1070x669.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-768x480.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-1536x960.jpg 1536w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/Priotization-Pwnkit-2048x1280.jpg 2048w" sizes="auto, (max-width: 2080px) 100vw, 2080px" /></a></figure> <h2 id="patch-with-qualys-vmdr" class="wp-block-heading">Patch With Qualys VMDR</h2> <p>We expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.</p> <p>Using the same prioritization based on the RTI method as described above, customers can use the “patch now” button found to the right of the vulnerability to add PwnKit to a patch job. Once patches are released, Qualys will find the relevant patches for this vulnerability and automatically add those patches to a patch job. This will allow customers to deploy those patches to vulnerable devices, all from Qualys Cloud Platform.</p> <h3 class="wp-block-heading">Detect Impacted Assets with Threat Protection</h3> <p>VMDR also enables you to automatically map assets vulnerable to PwnKit vulnerabilities using Threat Protect.</p> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit.jpg"><img loading="lazy" decoding="async" width="2080" height="1251" data-attachment-id="29245" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/threatfeed-pwnkit" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit.jpg" data-orig-size="2080,1251" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="ThreatFeed-Pwnkit" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-300x180.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-1070x644.jpg" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit.jpg" alt="" class="wp-image-29245" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit.jpg 2080w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-300x180.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-1070x644.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-768x462.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-1536x924.jpg 1536w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/ThreatFeed-Pwnkit-2048x1232.jpg 2048w" sizes="auto, (max-width: 2080px) 100vw, 2080px" /></a></figure> <h3 class="wp-block-heading">Track Vulnerability with VMDR Dashboard</h3> <p>With VMDR Unified Dashboard, you can track this vulnerability, impacted hosts, status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerability trends in your environment using the “PwnKit” Dashboard.</p> <div class="wp-block-file"><a id="wp-block-file--media-a7ce86e1-964f-46ea-ac34-e702803e8de0" href="https://blog.qualys.com/wp-content/uploads/2022/01/Polkits_pkexec_PWNKIT_VMdashboard.zip">Download and view the “PwnKit” dashboard</a><a href="https://blog.qualys.com/wp-content/uploads/2022/01/Polkits_pkexec_PWNKIT_VMdashboard.zip" class="wp-block-file__button wp-element-button" download aria-describedby="wp-block-file--media-a7ce86e1-964f-46ea-ac34-e702803e8de0">Download</a></div> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard.jpg"><img loading="lazy" decoding="async" width="2080" height="1842" data-attachment-id="29255" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/vmdr-polkit-dashboard" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard.jpg" data-orig-size="2080,1842" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="vmdr-polkit-dashboard" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-300x266.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-1070x948.jpg" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard.jpg" alt="" class="wp-image-29255" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard.jpg 2080w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-300x266.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-1070x948.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-768x680.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-1536x1360.jpg 1536w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/vmdr-polkit-dashboard-2048x1814.jpg 2048w" sizes="auto, (max-width: 2080px) 100vw, 2080px" /></a></figure> <h2 id="leverage-qualys-xdr-identifying-exploit-attempts" class="wp-block-heading">Leverage Qualys XDR Identifying Exploit Attempts</h2> <p>Qualys XDR customers can use the rule name titled – “T1068 – Linux: Polkit pkexec Local Privilege Escalation Vulnerability Detected (CVE-2021-4034)” to detect post-exploitation activity on affected systems. Post enablement, customers can also search for vulnerable systems using the following QQL query:</p> <p><em>eventName:” The value for the SHELL variable was not found the /etc/shells file“ or “contains suspicious content“</em></p> <p>Customers will be able to see output similar to the following screenshot:</p> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management.jpg"><img loading="lazy" decoding="async" width="1430" height="693" data-attachment-id="29247" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034/attachment/threat-management" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management.jpg" data-orig-size="1430,693" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="threat-management" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management-300x145.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management-1070x519.jpg" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management.jpg" alt="" class="wp-image-29247" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management.jpg 1430w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management-300x145.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management-1070x519.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/01/threat-management-768x372.jpg 768w" sizes="auto, (max-width: 1430px) 100vw, 1430px" /></a></figure> <p>Interested customers can contact <a href="https://www.qualys.com/support/">Qualys Support</a> for a copy of the XDR rule until it is available in the rule library.</p> <h2 id="vendor-references" class="wp-block-heading">Vendor References</h2> <p><a href="https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt">Read the PwnKit security advisory</a></p> <h2 id="frequently-asked-questions-faqs" class="wp-block-heading">Frequently Asked Questions (FAQs)</h2> <h3 class="wp-block-heading">What versions are vulnerable?</h3> <p>All Polkit versions from 2009 onwards are vulnerable.</p> <h3 class="wp-block-heading">Will the Qualys Research Team publish exploit code for this vulnerability?</h3> <p>No. But given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days of this blog’s post date.</p> <h3 class="wp-block-heading">Are there any mitigations for this vulnerability?</h3> <p>If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example:</p> <p><em># chmod 0755 /usr/bin/pkexec</em></p> <h3 class="wp-block-heading">Is this vulnerability remotely exploitable?</h3> <p>No. But if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges.</p> <h3 class="wp-block-heading">Is it possible to check for evidence of exploitation?</h3> <p>Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs.</p> <h3 class="wp-block-heading">Why is the vulnerability named “PwnKit”?</h3> <p>This is a pun intended on the name of the vulnerable application Polkit.</p> <div class="q-block__cta-wrapper"><div class="q-block__cta-container"><div class="q-block__cta-content"><div class="q-block__cta-icon"><img decoding="async" src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/image/app-icons/vmdr.svg" class="q-block__cta-icon--img" alt="Qualys VMDR" /></div><div class="q-block__cta-text"><h4 class="q-block__cta-label">Free Trial</h4><h3 class="q-block__cta-header">Fix the PwnKit Vulnerability with a Free Trial of Qualys</h3></div></div><div class="q-block__cta-action"><a href="https://www.qualys.com/forms/vmdr/" class="q-block__cta-btn"><span>Get the Free Trial</span></a></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Related</em></h3> </div> </div> </div> <footer class="entry-footer"> <div class='q-single-post__footer-content'> <div class='q-single-post__footer-author'> <div class='q-post__entry-avatar'> <img src='https://secure.gravatar.com/avatar/b23b99e61d4ce29240012f2740ad1801?s=180&d=mm&r=g' width='90' alt='Bharat Jogi' /> </div> <div class='q-post__entry-author'> <div class='q-post__entry-writtenby'>Written by</div> <span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/bharat_jogi">Bharat Jogi</a></span>, Senior Director, Threat Research Unit, Qualys</span> <div class='q-post__entry-author-email'>Write to Bharat at <a href='mailto:bjogi@qualys.com'>bjogi@qualys.com</a></div> </div> </div> <div class='q-single-post__footer-actions'> <div class='q-single-post__action'><label>Like</label><div class='likebutton likebutton_json' data-postid='29243' data-style='style2'></div></div> <div class="q-single-post__action"><label>Share</label><div class="ShariffSC" style="border-top: 1px solid #ddd; border-top: 1px solid rgba(0,0,0,.2); padding-top: 2em;"><div class="shariff shariff-align-flex-start shariff-widget-align-flex-start" style="display:none"><ul class="shariff-buttons theme-round orientation-horizontal buttonsize-medium"><li class="shariff-button linkedin" style="background-color:#97A0AF"><a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" title="Share on LinkedIn" aria-label="Share on LinkedIn" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 27 32"><path fill="#0077b5" d="M6.2 11.2v17.7h-5.9v-17.7h5.9zM6.6 5.7q0 1.3-0.9 2.2t-2.4 0.9h0q-1.5 0-2.4-0.9t-0.9-2.2 0.9-2.2 2.4-0.9 2.4 0.9 0.9 2.2zM27.4 18.7v10.1h-5.9v-9.5q0-1.9-0.7-2.9t-2.3-1.1q-1.1 0-1.9 0.6t-1.2 1.5q-0.2 0.5-0.2 1.4v9.9h-5.9q0-7.1 0-11.6t0-5.3l0-0.9h5.9v2.6h0q0.4-0.6 0.7-1t1-0.9 1.6-0.8 2-0.3q3 0 4.9 2t1.9 6z"/></svg></span></a></li><li class="shariff-button facebook" style="background-color:#97A0AF"><a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" title="Share on Facebook" aria-label="Share on Facebook" role="button" rel="nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18 32"><path fill="#3b5998" d="M17.1 0.2v4.7h-2.8q-1.5 0-2.1 0.6t-0.5 1.9v3.4h5.2l-0.7 5.3h-4.5v13.6h-5.5v-13.6h-4.5v-5.3h4.5v-3.9q0-3.3 1.9-5.2t5-1.8q2.6 0 4.1 0.2z"/></svg></span></a></li><li class="shariff-button twitter" style="background-color:#97A0AF"><a href="https://twitter.com/share?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034&text=PwnKit%3A%20%20Local%20Privilege%20Escalation%20Vulnerability%20Discovered%20in%20polkit%E2%80%99s%20pkexec%20%28CVE-2021-4034%29&via=qualys" title="Share on X" aria-label="Share on X" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="#000" d="M14.258 10.152L23.176 0h-2.113l-7.747 8.813L7.133 0H0l9.352 13.328L0 23.973h2.113l8.176-9.309 6.531 9.309h7.133zm-2.895 3.293l-.949-1.328L2.875 1.56h3.246l6.086 8.523.945 1.328 7.91 11.078h-3.246zm0 0"/></svg></span></a></li><li class="shariff-button mailto" style="background-color:#97A0AF"><a href="mailto:?body=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034&subject=PwnKit%3A%20%20Local%20Privilege%20Escalation%20Vulnerability%20Discovered%20in%20polkit%E2%80%99s%20pkexec%20%28CVE-2021-4034%29" title="Send by email" aria-label="Send by email" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path fill="#999" d="M32 12.7v14.2q0 1.2-0.8 2t-2 0.9h-26.3q-1.2 0-2-0.9t-0.8-2v-14.2q0.8 0.9 1.8 1.6 6.5 4.4 8.9 6.1 1 0.8 1.6 1.2t1.7 0.9 2 0.4h0.1q0.9 0 2-0.4t1.7-0.9 1.6-1.2q3-2.2 8.9-6.1 1-0.7 1.8-1.6zM32 7.4q0 1.4-0.9 2.7t-2.2 2.2q-6.7 4.7-8.4 5.8-0.2 0.1-0.7 0.5t-1 0.7-0.9 0.6-1.1 0.5-0.9 0.2h-0.1q-0.4 0-0.9-0.2t-1.1-0.5-0.9-0.6-1-0.7-0.7-0.5q-1.6-1.1-4.7-3.2t-3.6-2.6q-1.1-0.7-2.1-2t-1-2.5q0-1.4 0.7-2.3t2.1-0.9h26.3q1.2 0 2 0.8t0.9 2z"/></svg></span></a></li></ul></div></div></div> </div> </div> <div class='q-post__tags-wrapper'> <div class='q-post__tags-container'> <h5>Related content</h5> <div class='q-post__tags-list'> <a href="https://blog.qualys.com/tag/pwnkit" rel="tag">pwnkit</a> </div> </div> </div> </footer> </article> <div class="q-comments__show-button js-q-comments-button"> <span class='text'>Show Comments (8)</span> <span class='arrow-icon'><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23 14"><path fill="#FFF" d="M20.469.409l2.122 2.122-11.061 11.06L.469 2.531 2.591.409l8.939 8.94z"/></svg></span></div> <div id="comments" class="comments-area"> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="comment-reply-title">Comments <small><a rel="nofollow" id="cancel-comment-reply-link" href="/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form" novalidate><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required></textarea></p><div class="field-wrapper"><p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required /></p> <p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required /></p></div> <p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p> <div class="g-recaptcha" data-sitekey="6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv"></div><p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST" /> <input type='hidden' name='comment_post_ID' value='29243' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="ec94556b01" /></p><input type="hidden" id="ct_checkjs_3e89ebdb49f712c7d90d1b39e348bbbf" name="ct_checkjs" value="0" /><script>setTimeout(function(){var ct_input_name = "ct_checkjs_3e89ebdb49f712c7d90d1b39e348bbbf";if (document.getElementById(ct_input_name) !== null) {var ct_input_value = document.getElementById(ct_input_name).value;document.getElementById(ct_input_name).value = document.getElementById(ct_input_name).value.replace(ct_input_value, '1078298717');}}, 1000);</script><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="0"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div><!-- #respond --> <ol class="comment-list skip-lazy"> <li id="comment-464391" class="comment even thread-even depth-1"> <article id="div-comment-464391" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/89378527057fc682da24d3935e7d3ccd?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/89378527057fc682da24d3935e7d3ccd?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Damian OHara</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464391"><time datetime="2022-01-26T00:18:14-08:00">January 26, 2022 at 12:18 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>Should this threat show in the threatprotect dashboard ? For us it doesn’t. EU2 SOC.</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464391#respond" data-commentid="464391" data-postid="29243" data-belowelement="div-comment-464391" data-respondelement="respond" data-replyto="Reply to Damian to Damian OHara" aria-label="Reply to Damian to Damian OHara">Reply to Damian</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464391'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-464437" class="comment odd alt thread-odd thread-alt depth-1"> <article id="div-comment-464437" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/c3024f749ed19346f6087b40bb166aac?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/c3024f749ed19346f6087b40bb166aac?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Stephan</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464437"><time datetime="2022-01-26T01:58:53-08:00">January 26, 2022 at 1:58 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>This is similar to a typical sudo exploit. On my personal systems, I always remove sudo and remove all users from the sudo group. In that case, the exploit does not seem to work.</p> <p>I understand that this is not a solution for a non-personal system with multiple admins, but it still valuable information for many</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464437#respond" data-commentid="464437" data-postid="29243" data-belowelement="div-comment-464437" data-respondelement="respond" data-replyto="Reply to Stephan to Stephan" aria-label="Reply to Stephan to Stephan">Reply to Stephan</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464437'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-464601" class="comment even thread-even depth-1"> <article id="div-comment-464601" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/82f13361d7205ee00001f49c30575147?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/82f13361d7205ee00001f49c30575147?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">TheCaptain</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464601"><time datetime="2022-01-26T09:43:39-08:00">January 26, 2022 at 9:43 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>So not remotely exploitable and you have to be root to install a compiler to gain root privileges? Next.</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464601#respond" data-commentid="464601" data-postid="29243" data-belowelement="div-comment-464601" data-respondelement="respond" data-replyto="Reply to TheCaptain to TheCaptain" aria-label="Reply to TheCaptain to TheCaptain">Reply to TheCaptain</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464601'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-464648" class="comment odd alt thread-odd thread-alt depth-1"> <article id="div-comment-464648" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/a7bb50d47b49d3f8d430a6310152124f?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/a7bb50d47b49d3f8d430a6310152124f?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">H.</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464648"><time datetime="2022-01-27T09:12:00-08:00">January 27, 2022 at 9:12 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>Hello,</p> <p>Could you add Ubuntu package “policykit” to QID 376287?</p> <p>Regards</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464648#respond" data-commentid="464648" data-postid="29243" data-belowelement="div-comment-464648" data-respondelement="respond" data-replyto="Reply to H. to H." aria-label="Reply to H. to H.">Reply to H.</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464648'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'>1</span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-464659" class="comment even thread-even depth-1"> <article id="div-comment-464659" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/1415ad45912548094dabe0ea0c81821f?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/1415ad45912548094dabe0ea0c81821f?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Vijay Sarvepalli</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464659"><time datetime="2022-01-27T12:59:32-08:00">January 27, 2022 at 12:59 PM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>Hello Bharat,<br /> On your vulnerability disclosure timeline was the opensource community not notified till 7weeks or so after contacting RedHat? Any reason for this delay ?</p> <p>2021-11-18: Advisory sent to secalert@redhat.<br /> 2022-01-11: Advisory and patch sent to distros@openwall.<br /> 2022-01-25: Coordinated Release Date (5:00 PM UTC).</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464659#respond" data-commentid="464659" data-postid="29243" data-belowelement="div-comment-464659" data-respondelement="respond" data-replyto="Reply to Vijay to Vijay Sarvepalli" aria-label="Reply to Vijay to Vijay Sarvepalli">Reply to Vijay</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464659'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-464783" class="comment odd alt thread-odd thread-alt depth-1"> <article id="div-comment-464783" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/44cf96b3f10a5e54288c0f51f0bee023?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/44cf96b3f10a5e54288c0f51f0bee023?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Info security</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-464783"><time datetime="2022-01-29T15:05:01-08:00">January 29, 2022 at 3:05 PM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>I am still not fully convinced this is a critical and urgent problem: to let pkexec run your program as root, you need to know the root password and enter it first, then when you know the root password, if you want you can do anything, why need to do the exploit?</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=464783#respond" data-commentid="464783" data-postid="29243" data-belowelement="div-comment-464783" data-respondelement="respond" data-replyto="Reply to Info to Info security" aria-label="Reply to Info to Info security">Reply to Info</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='464783'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-465375" class="comment even thread-even depth-1"> <article id="div-comment-465375" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/c58cfd055712448693e878ab16df7d63?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/c58cfd055712448693e878ab16df7d63?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Ian Golding</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-465375"><time datetime="2022-02-03T07:37:34-08:00">February 3, 2022 at 7:37 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>why are different numbers returned if a search is performed by CVE id and QID?</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=465375#respond" data-commentid="465375" data-postid="29243" data-belowelement="div-comment-465375" data-respondelement="respond" data-replyto="Reply to Ian to Ian Golding" aria-label="Reply to Ian to Ian Golding">Reply to Ian</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='465375'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> <li id="comment-465376" class="comment odd alt thread-odd thread-alt depth-1"> <article id="div-comment-465376" class="comment-body"> <footer class="comment-meta"> <div class="comment-author vcard"> <img alt='' src='https://secure.gravatar.com/avatar/c58cfd055712448693e878ab16df7d63?s=112&d=mm&r=g' srcset="https://secure.gravatar.com/avatar/c58cfd055712448693e878ab16df7d63?s=224&d=mm&r=g 2x" class='avatar avatar-112 photo' height='112' width='112' loading='lazy' decoding='async'/> <b class="fn">Ian Golding</b> <span class="says">says:</span> </div><!-- .comment-author --> <div class="comment-metadata"> <a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034#comment-465376"><time datetime="2022-02-03T07:52:27-08:00">February 3, 2022 at 7:52 AM</time></a> </div><!-- .comment-metadata --> </footer><!-- .comment-meta --> <div class="comment-content"> <p>why do I get different results for impacted assets if I search based on QID or CVEid?</p> </div><!-- .comment-content --> <div class='q-comment__reply-wrapper'> <div class="reply"><a rel="nofollow" class="comment-reply-link" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034?replytocom=465376#respond" data-commentid="465376" data-postid="29243" data-belowelement="div-comment-465376" data-respondelement="respond" data-replyto="Reply to Ian to Ian Golding" aria-label="Reply to Ian to Ian Golding">Reply to Ian</a></div> <div class='q-comment__like-wrapper'> <div class='q-post__like-button js-blog-comment-voting-buttons'> <button class='js-q-comment-like' type='button' data-nonce='75f6f53563' data-type='like' data-commentid='465376'> <svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="0 0 21 20"><path fill="#6A778B" d="M20.502 8.24A3.117 3.117 0 0 0 17.8 6.294h-2.94a11.292 11.292 0 0 0-.1-3.573C14.094.062 12.663-.06 12.074.014c-.907.109-1.734.895-1.734 1.641s0 2.573-1.436 4.009c-.988.988-2.52 1.484-3.403 1.701V7.18a.605.605 0 0 0-.605-.605H.605A.605.605 0 0 0 0 7.18v12.13c0 .334.27.605.605.605h4.29c.335 0 .606-.27.606-.605v-.117c.766.57 1.613.807 3.17.807h7.053a2.867 2.867 0 0 0 2.823-2.351l1.028-5.646c1.1-1.153 1.44-2.524.927-3.762zM4.291 18.727H1.21V7.789h3.08v10.937zm14.292-7.417a.58.58 0 0 0-.15.307l-1.076 5.823c-.144.78-.82 1.35-1.613 1.36H8.67c-1.863 0-2.327-.364-3.17-1.21V8.611c.94-.206 2.94-.77 4.26-2.093 1.79-1.79 1.79-4.033 1.79-4.84a.911.911 0 0 1 .754-.472c.524 0 .988.658 1.278 1.807.367 1.468 0 3.763 0 3.787a.605.605 0 0 0 .597.702h3.63a1.912 1.912 0 0 1 1.584 1.21c.331.814.049 1.738-.81 2.596z"/></svg> </button> <span class='q-vote__count js-q-comment-like-count'></span> </div> </div> </div> </article><!-- .comment-body --> </li><!-- #comment-## --> </ol><!-- .comment-list --> </div><!-- #comments --> </main><!-- #main --> </div><!-- .q-main_content-container --> </div><!-- #page --> <footer id="colophon" class="site-footer q-footer"> <div class="q-footer__container"> <div class="q-footer__row"> <div class="q-footer__column--wide q-footer__column--desktop"> <h2 class="q-footer__heading"> Join the <span class="nowrap">discussion today!</span> </h2> <p class="q-footer__copy"> <strong>Learn</strong> more about Qualys and industry best practices. </p> <p class="q-footer__copy"> <strong>Share</strong> what you know and build a reputation. </p> <p class="q-footer__copy"> <strong>Secure</strong> your systems and improve security for everyone. </p> <div class="q-footer__search"> <span class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow"> <a href="https://discussions.qualys.com/discussion/create!input.jspa"> <span>Start a discussion</span> </a> </span> </div> <div class="q-footer__social"> <ul id="social-menu" class="q-social-list"><li id="menu-item-26477" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26477"><a target="_blank" href="https://twitter.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Twitter" width="20" height="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 148.7 610.7 496.3" enable-background="new 0 148.7 610.7 496.3"><title>Twitter</title><path fill="#FFF" d="M192.1 645c-70.8 0-136.7-20.7-192.1-56.2 9.8 1.1 19.9 1.8 29.9 1.8 58.7 0 112.8-20.1 155.7-53.6-54.7-1.1-101.2-37.3-117-87.1 7.6 1.6 15.4 2.2 23.7 2.2 11.4 0 22.6-1.6 33.1-4.5-57.5-11.6-100.6-62.1-100.6-122.9v-1.6c17 9.4 36.2 15 56.7 15.6-33.5-22.4-55.8-60.6-55.8-104.2 0-23 6.3-44.4 17-63 61.6 75.9 153.9 126 258 131.1-2.2-9.2-3.4-18.8-3.4-28.6 0-69.2 56.1-125.3 125.3-125.3 36 0 68.6 15.2 91.4 39.5 28.8-5.6 55.6-15.9 79.7-30.4-9.4 29.3-29 53.8-54.9 69.5 25.2-3.1 49.6-9.8 71.9-19.7-16.8 25-38 47.1-62.5 64.8.2 5.4.4 10.7.4 16.3 0 165.4-126.2 356.3-356.5 356.3"></path></svg></a></li> <li id="menu-item-26478" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26478"><a target="_blank" href="https://www.linkedin.com/company/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on LinkedIn" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 36 36" enable-background="new 0 0 36 36"><title>LinkedIn</title><path fill="#FFF" d="M33.3 0h-30.6c-1.5 0-2.7 1.2-2.7 2.6v30.8c0 1.4 1.2 2.6 2.7 2.6h30.7c1.5 0 2.7-1.2 2.7-2.6v-30.8c-.1-1.4-1.3-2.6-2.8-2.6zm-22.6 30.7h-5.4v-17.2h5.3v17.2zm-2.7-19.6c-1.7 0-3.1-1.4-3.1-3.1 0-1.7 1.4-3 3.1-3 1.7 0 3.1 1.4 3.1 3.1 0 1.7-1.4 3-3.1 3zm22.7 19.6h-5.3v-8.4c0-2 0-4.6-2.8-4.6s-3.2 2.2-3.2 4.4v8.5h-5.4v-17.1h5.1v2.3h.1c.7-1.4 2.5-2.8 5.1-2.8 5.4 0 6.4 3.6 6.4 8.2v9.5z"></path></svg></a></li> <li id="menu-item-26479" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26479"><a target="_blank" href="https://www.facebook.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Facebook" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 90 611.8 612.2" enable-background="new 0 90 611.8 612.2"><title>Facebook</title><path fill="#FFF" d="M578.3 90h-544.6c-18.6 0-33.7 15.1-33.7 33.7v544.4c0 18.6 15.1 33.7 33.7 33.7h293v-236.9h-79.7v-92.4h79.8v-67.9c0-79.1 48.4-122 118.8-122 33.7 0 62.8 2.5 71.3 3.7v82.5h-48.9c-38.3 0-45.9 18.1-45.9 44.9v58.9h91.5l-11.9 92.4h-79.6v237.1h155.9c18.6 0 33.7-15.1 33.7-33.7v-544.7c.3-18.6-14.8-33.7-33.4-33.7z"></path></svg></a></li> <li id="menu-item-26480" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26480"><a target="_blank" href="https://www.youtube.com/user/QualysGuard"><svg class="q-social-list__icon" role="img" aria-label="Qualys on YouTube" width="22" height="22" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1021.5 718.4" enable-background="new 0 0 1021.5 718.4"><title>YouTube</title><path fill="#E0E0E0" d="M647.3 366.3l-242.1-161.6 276 144-33.9 17.6"></path><path fill="#FFF" d="M1011.2 155s-10-70.4-40.6-101.4c-38.8-40.7-82.4-40.9-102.3-43.3-142.9-10.3-357.4-10.3-357.4-10.3h-.4s-214.4 0-357.4 10.3c-20 2.4-63.5 2.6-102.3 43.3-30.6 31-40.6 101.4-40.6 101.4s-10.2 82.6-10.2 165.3v77.5c0 82.7 10.2 165.3 10.2 165.3s10 70.4 40.6 101.4c38.9 40.7 89.9 39.4 112.6 43.7 81.7 7.8 347.3 10.3 347.3 10.3s214.6-.3 357.6-10.7c20-2.4 63.5-2.6 102.3-43.3 30.6-31 40.6-101.4 40.6-101.4s10.2-82.7 10.2-165.3v-77.5c.1-82.7-10.2-165.3-10.2-165.3m-605.9 336.7v-287l276 144-276 143z"></path></svg></a></li> <li id="menu-item-26481" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26481"><a target="_blank" href="https://vimeo.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Vimeo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 86.67"><title>Vimeo</title><path fill="#FFF" d="M100 20.05q-.72 14.63-20.44 40.06Q59.16 86.67 45 86.67q-8.74 0-14.79-16.17l-8.02-29.66q-4.49-16.17-9.64-16.18-1.12 0-7.85 4.72L0 23.31q7.4-6.52 14.59-13 9.87-8.55 14.82-9 11.67-1.12 14.37 16 2.91 18.47 4 23 3.36 15.32 7.41 15.31 3.14 0 9.43-9.94t6.73-15.13q.9-8.58-6.73-8.58a18.7 18.7 0 0 0-7.4 1.64Q64.63-.66 85.42 0 100.84.47 100 20.05z"></path></svg></a></li> </ul> </div> </div> <div class="q-footer__column q-footer__column--nav"> <section id="nav_menu-2" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys</h3><div class="menu-footer-qualys-container"><ul id="menu-footer-qualys" class="menu"><li id="menu-item-26499" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26499"><a href="https://www.qualys.com/" title="Information Security and Compliance | Qualys, Inc.">Qualys.com</a></li> <li id="menu-item-26500" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26500"><a href="https://www.qualys.com/community-edition/" title="Free Trial | Qualys, Inc.">Qualys Community Edition</a></li> <li id="menu-item-26565" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26565"><a href="https://store.qualys.com/">Qualys Merchandise Store</a></li> </ul></div></section><section id="nav_menu-3" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys Communities</h3><div class="menu-footer-qualys-communities-container"><ul id="menu-footer-qualys-communities" class="menu"><li id="menu-item-26501" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26501"><a href="https://community.qualys.com/vulnerability-management/">Vulnerability Management</a></li> <li id="menu-item-26502" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26502"><a href="https://community.qualys.com/policy-compliance/">Policy Compliance</a></li> <li id="menu-item-26503" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26503"><a href="https://community.qualys.com/pci-compliance/">PCI Compliance</a></li> <li id="menu-item-26504" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26504"><a href="https://community.qualys.com/web-app-scanning/">Web App Scanning</a></li> <li id="menu-item-26505" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26505"><a href="https://community.qualys.com/web-app-firewall/">Web App Firewall</a></li> <li id="menu-item-26506" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26506"><a href="https://community.qualys.com/continuous-monitoring/">Continuous Monitoring</a></li> <li id="menu-item-26507" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26507"><a href="https://community.qualys.com/security-assessment-questionnaire/">Security Assessment Questionnaire</a></li> <li id="menu-item-26508" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26508"><a href="https://community.qualys.com/threat-protection/">Threat Protection</a></li> <li id="menu-item-26509" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26509"><a href="https://community.qualys.com/asset-inventory/">Asset Inventory</a></li> <li id="menu-item-26510" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26510"><a href="https://community.qualys.com/asset-view/">AssetView</a></li> <li id="menu-item-26511" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26511"><a href="https://community.qualys.com/cmdb-sync/">CMDB Sync</a></li> <li id="menu-item-26512" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26512"><a href="https://community.qualys.com/endpoint-detection-response/">Endpoint Detection & Response</a></li> <li id="menu-item-26513" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26513"><a href="https://community.qualys.com/security-configuration-assessment/">Security Configuration Assessment</a></li> <li id="menu-item-26514" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26514"><a href="https://community.qualys.com/file-integrity-monitoring/">File Integrity Monitoring</a></li> <li id="menu-item-26515" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26515"><a href="https://community.qualys.com/cloud-inventory/">Cloud Inventory</a></li> <li id="menu-item-26516" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26516"><a href="https://community.qualys.com/certificate-inventory/">Certificate Inventory</a></li> <li id="menu-item-26517" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26517"><a href="https://community.qualys.com/container-security/">Container Security</a></li> <li id="menu-item-26518" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26518"><a href="https://community.qualys.com/cloud-security-assessment/">Cloud Security Assessment</a></li> <li id="menu-item-26519" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26519"><a href="https://community.qualys.com/certificate-assessment/">Certificate Assessment</a></li> <li id="menu-item-26520" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26520"><a href="https://community.qualys.com/out-of-band-configuration-assessment/">Out-of-band Configuration Assessment</a></li> <li id="menu-item-26521" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26521"><a href="https://community.qualys.com/patch-management/">Patch Management</a></li> <li id="menu-item-26522" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26522"><a href="https://community.qualys.com/api/">Developer API</a></li> <li id="menu-item-26523" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26523"><a href="https://community.qualys.com/cloud-agent/">Cloud Agent</a></li> <li id="menu-item-26524" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26524"><a href="https://community.qualys.com/reporting/">Dashboards & Reporting</a></li> </ul></div></section><section id="nav_menu-4" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Discussions</h3><div class="menu-footer-discussions-container"><ul id="menu-footer-discussions" class="menu"><li id="menu-item-26489" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26489"><a href="https://discussions.qualys.com/">All discussions</a></li> <li id="menu-item-26490" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26490"><a href="https://discussions.qualys.com/community/asset-inventory">Global IT Asset Management</a></li> <li id="menu-item-26491" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26491"><a href="https://discussions.qualys.com/community/vulnerability-management">IT Security</a></li> <li id="menu-item-26492" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26492"><a href="https://discussions.qualys.com/community/policy-compliance">Compliance</a></li> <li id="menu-item-26493" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26493"><a href="https://discussions.qualys.com/community/cloud-security">Cloud & Container Security</a></li> <li id="menu-item-26494" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26494"><a href="https://discussions.qualys.com/community/web-application-scanning">Web App Security</a></li> <li id="menu-item-26495" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26495"><a href="https://discussions.qualys.com/community/ssllabs">Certificate Security & SSL Labs</a></li> <li id="menu-item-26496" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26496"><a href="https://discussions.qualys.com/community/developer">Developer API</a></li> </ul></div></section><section id="nav_menu-5" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Blog</h3><div class="menu-footer-blog-container"><ul id="menu-footer-blog" class="menu"><li id="menu-item-26483" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26483"><a href="https://blog.qualys.com/">All posts</a></li> <li id="menu-item-26484" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26484"><a href="https://blog.qualys.com/qualys-insights">Qualys Insights</a></li> <li id="menu-item-26485" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26485"><a href="https://blog.qualys.com/product-tech">Product and Tech</a></li> <li id="menu-item-26486" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26486"><a href="https://blog.qualys.com/vulnerabilities-threat-research">Vulnerabilities and Threat Research</a></li> <li id="menu-item-26487" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26487"><a href="https://notifications.qualys.com/">Release Notifications</a></li> </ul></div></section><section id="nav_menu-6" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Training</h3><div class="menu-footer-training-container"><ul id="menu-footer-training" class="menu"><li id="menu-item-26526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26526"><a href="https://www.qualys.com/training/">Overview</a></li> <li id="menu-item-26527" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26527"><a href="https://www.qualys.com/training/#self-paced">Certified Courses</a></li> <li id="menu-item-26528" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26528"><a href="https://www.qualys.com/training/#video-library">Video Library</a></li> <li id="menu-item-26529" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26529"><a href="https://www.qualys.com/training/#instructor-led">Instructor-led Training</a></li> </ul></div></section><section id="nav_menu-7" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Docs</h3><div class="menu-footer-docs-container"><ul id="menu-footer-docs" class="menu"><li id="menu-item-26497" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26497"><a href="https://www.qualys.com/documentation/">Overview</a></li> <li id="menu-item-26498" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26498"><a href="https://www.qualys.com/documentation/release-notes/">Release Notes</a></li> </ul></div></section><section id="nav_menu-8" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Support</h3><div class="menu-footer-support-container"><ul id="menu-footer-support" class="menu"><li id="menu-item-26525" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26525"><a href="https://qualys-secure.force.com/customer/s/">Support Portal</a></li> </ul></div></section> </div> </div> <div class="q-footer__row"> <small class="q-footer__copyright">© 2024 Qualys, Inc. All rights reserved. <a href="https://www.qualys.com/company/privacy/"><span style="white-space: nowrap;">Privacy Policy</span></a> . <a href="https://www.qualys.com/company/accessibility/">Accessibility</a></small> </div> </div> </footer><!-- #colophon --> <img alt="Cleantalk Pixel" title="Cleantalk Pixel" id="apbct_pixel" style="display: none;" src="https://moderate6-v4.cleantalk.org/pixel/cf06eaaa1bb92178505e0df2f4c58791.gif"><div class='q-goto-top-btn js-goto-top-single'><span><svg viewBox="0 0 16 22" xmlns="http://www.w3.org/2000/svg"><path d="m8.56934246 21.55c-.18206438.2813776-.49435704.451275-.8295.451275-.33514295 0-.64743561-.1698974-.8295-.451275l-6.771-10.808c-.387-.616.078-1.401.83-1.401h5.668l-.003-8.415c0-.51.495-.926 1.106-.926.542 0 .995.328 1.088.759l.017.167.003 8.415h5.66100004c.693 0 1.14.66.912 1.245l-.08.156zm.279-4.041 3.95800004-6.316h-3.96000004v6.316zm-2.212.004v-6.32h-3.959l3.957 6.32z" transform="matrix(1 0 0 -1 .000658 22.001274)"/></svg></span></div> <div id="jp-carousel-loading-overlay"> <div id="jp-carousel-loading-wrapper"> <span id="jp-carousel-library-loading"> </span> </div> </div> <div class="jp-carousel-overlay" style="display: none;"> <div class="jp-carousel-container"> <!-- The Carousel Swiper --> <div class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions" itemscope itemtype="https://schema.org/ImageGallery"> <div class="jp-carousel swiper-wrapper"></div> <div class="jp-swiper-button-prev swiper-button-prev"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12"> <path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/> </mask> <g mask="url(#maskPrev)"> <rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div> <div class="jp-swiper-button-next swiper-button-next"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12"> <path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/> </mask> <g mask="url(#maskNext)"> <rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/> </g> </svg> </div> </div> <!-- The main close buton --> <div class="jp-carousel-close-hint"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14"> <path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/> </mask> <g mask="url(#maskClose)"> <rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div> <!-- Image info, comments and meta --> <div class="jp-carousel-info"> <div class="jp-carousel-info-footer"> <div class="jp-carousel-pagination-container"> <div class="jp-swiper-pagination swiper-pagination"></div> <div class="jp-carousel-pagination"></div> </div> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-caption"></h2> </div> <div class="jp-carousel-photo-icons-container"> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/> </mask> <g mask="url(#maskInfo)"> <rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </span> </a> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/> </mask> <g mask="url(#maskComments)"> <rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span> </span> </a> </div> </div> <div class="jp-carousel-info-extra"> <div class="jp-carousel-info-content-wrapper"> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-title"></h2> </div> <div class="jp-carousel-comments-wrapper"> <div id="jp-carousel-comments-loading"> <span>Loading Comments...</span> </div> <div class="jp-carousel-comments"></div> <div id="jp-carousel-comment-form-container"> <span id="jp-carousel-comment-form-spinner"> </span> <div id="jp-carousel-comment-post-results"></div> <form id="jp-carousel-comment-form"> <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label> <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..." ></textarea> <div id="jp-carousel-comment-form-submit-and-info-wrapper"> <div id="jp-carousel-comment-form-commenting-as"> <fieldset> <label for="jp-carousel-comment-form-email-field">Email (Required)</label> <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-author-field">Name (Required)</label> <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-url-field">Website</label> <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" /> </fieldset> </div> <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment" /> </div> </form> </div> </div> <div class="jp-carousel-image-meta"> <div class="jp-carousel-title-and-caption"> <div class="jp-carousel-photo-info"> <h3 class="jp-carousel-caption" itemprop="caption description"></h3> </div> <div class="jp-carousel-photo-description"></div> </div> <ul class="jp-carousel-image-exif" style="display: none;"></ul> <a class="jp-carousel-image-download" href="#" target="_blank" style="display: none;"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18"> <path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/> </mask> <g mask="url(#mask0)"> <rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-download-text"></span> </a> <div class="jp-carousel-image-map" style="display: none;"></div> </div> </div> </div> </div> </div> </div> <link rel='stylesheet' id='jetpack-carousel-swiper-css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/carousel/swiper-bundle.css?ver=14.0' media='all' /> <link rel='stylesheet' id='jetpack-carousel-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/carousel/jetpack-carousel.css?ver=14.0' media='all' /> <link rel='stylesheet' id='shariffcss-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/shariff/css/shariff.min.css?ver=4.6.14' media='all' /> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" id="jquery-js" integrity='sha512-bLT0Qm9VnAYZDflyKcBaQ2gg0hSYNQrJ8RilYldYQ1FxQYoCLtUjuuRuZo+fjqhx/qtq/1itJ0C2ejDxltZVFg==' crossorigin='anonymous' referrerpolicy='no-referrer'></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-migrate/3.3.2/jquery-migrate.min.js" id="jquery-migrate-js" integrity='sha512-3fMsI1vtU2e/tVxZORSEeuMhXnT9By80xlmXlsOku7hNwZSHJjwcOBpmy+uu+fyWwGCLkMvdVbHkeoXdAzBv+w==' crossorigin='anonymous' referrerpolicy='no-referrer'></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/underscore.min.js?ver=1.13.7" id="underscore-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/highlight.min.js" id="qualys2020-highlightjs-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/waypoints/4.0.1/noframework.waypoints.min.js" id="waypoint-js"></script> <script id="qualys2020-script-js-extra"> var qualys2020Script = {"ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","current_page":"0","max_page":"0","archive_type":"all","content_id":"29243"}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/script.js?ver=1.0.3" id="qualys2020-script-js"></script> <script src="https://www.google.com/recaptcha/api.js" id="recaptcha-js"></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/comment-reply.min.js?ver=6.7.1" id="comment-reply-js" async data-wp-strategy="async"></script> <script src="https://static.cloud.coveo.com/searchui/v2.10085/2/js/CoveoJsSearch.Lazy.min.js" id="coveo-script-js" integrity='sha512-vueueBf3ND6Jj5E31AIFE28WnA2gQaGt3jHb+Wx5c0bDFBiKgQ8in3T9L4nVHC02v1uEgsrD4vL6pgYUGwZ3Kw==' crossorigin='anonymous'></script> <script src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/coveo.js" id="q-script-coveo-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.js" id="fancybox-script-js"></script> <script src="https://stats.wp.com/e-202448.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script id="jetpack-stats-js-after"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"105655880\",\"post\":\"29243\",\"tz\":\"-8\",\"srv\":\"blog.qualys.com\",\"j\":\"1:14.0\"}") ]); _stq.push([ "clickTrackerInit", "105655880", "29243" ]); </script> <script id="jetpack-carousel-js-extra"> var jetpackSwiperLibraryPath = {"url":"https:\/\/blog.qualys.com\/wp-content\/plugins\/jetpack\/_inc\/build\/carousel\/swiper-bundle.min.js"}; var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","nonce":"77473790ff","display_exif":"0","display_comments":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","image_label":"Open image in full-screen.","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"1","login_url":"https:\/\/blog.qualys.com\/wp-login.php?redirect_to=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F01%2F25%2Fpwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034","blog_id":"1","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"]}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/carousel/jetpack-carousel.min.js?ver=14.0" id="jetpack-carousel-js"></script> <script defer src="https://ik.imagekit.io/qualys/wp-content/plugins/akismet/_inc/akismet-frontend.js?ver=1732706936" id="akismet-frontend-js"></script> </body> </html>