A trivially exploitable vulnerability has been disclosed in Polkit, a component installed by default on many Linux distributions. Successful exploits of this vulnerability would grant an attacker full root privileges on the host. Most devices in the Extended Internet of Things (XIoT) are likely affected.
The vulnerability, which Qualys has named PwnKit (CVE-2021-4034) has been in Polkit—once known as PolicyKit—for more than a decade. Polkit manages system-wide privileges on Linux operating systems and oversees how non-privileged processes communicate with privileged ones.
This memory-corruption issue likely impacts most devices in the XIoT, including industrial OT, enterprise IoT, and medical IoT equipment. PwnKit is a local privilege escalation vulnerability, meaning that an attacker would already need to have access to a vulnerable host in order to exploit the vulnerability.
Users who manage any Linux devices should determine their exposure and patch immediately. Qualys said it sent patches to affected distributions on Jan. 11; If a patch is not yet available for a particular Linux distribution, Qualys suggests as a mitigation that users remove the SUID-bit from Polkit's pkexec function.
In its advisory, Qualys said it was able to trigger the vulnerability in Polkit's pkexec function and gain root access on default installations of Ubuntu, Debian, Fedora, and CentOS. It's likely that other distributions are vulnerable, and exploitable.
Team82 has confirmed it was able to trigger the vulnerability, see the video below.
Qualys said it is unaware of public exploits. Qualys did not publish its proof-of-concept exploit because of the ease of exploitation involved with attacking this vulnerability. Others, however, have already reverse-engineered the bug and published PoCs online, indicating that more malicious exploits may not be far behind.
Users can find artifacts of exploits in logs, but Qualys cautions that the vulnerability may be quietly exploited as well.
"This exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found in the /etc/shells file" or "The value for environment variable […] contains suspicious content")," Qualys said in its advisory. "However, please note that this vulnerability is also exploitable without leaving any traces in the logs."
The disclosure of PwnKit is going to further inflame discussions about the security of open source software. Recently, the White House gathered tech leaders to discuss the issue in the context of the Log4j vulnerability in Apache. Log4j is a logging framework native to Apache that was ubiquitous across IT and operational technology environments. Multiple vulnerabilities and exploits surfaced post-disclosure, and the Biden administration expressed concern over the use of open source components in software used in critical infrastructure.
The issue when vulnerabilities such as PwnKit and Log4j arise is that users may be blind to these components running inside commercial or homegrown applications, so they may not understand their exposure when critical vulnerabilities are disclosed.
The Biden administration, last year in an Executive Order signed in May of last year, mandated that the federal government take steps to beef up the security of the software supply chain. The EO was in reaction to the SolarWinds compromise of late 2020, which demonstrated the fragility of the supply chain and reinforced the need for secure software development practices and oversight of products used by the federal government and within critical infrastructure.
One critical component of the EO was the need for a software bill of materials (SBOM) to be made available for each product used by the federal government. SBOMs describe the software components used in the development of a commercial product.
The availability of such a list would remove the mystery as to whether components such as Polkit, Log4j and others are running under the covers. Asset owners and IT administrators responsible for vulnerability management would immediately understand their exposure and be able to prioritize patching and other mitigations.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
