Polkit is an application level toolkit available on major Linux distributions by default, facilitating communication from non privileged processes to privileged ones via policy checks. There have been multiple vulnerabilities associated with the Polkit component in recent months. CVE-2021-4034 is a local privilege escalation vulnerability in the pkexec tool from the Polkit component that allows an unprivileged local user obtain root access on a Linux server bypassing any authentication. There are several public exploits available that show how easy it is for a non root user to gain a root shell on unpatched systems.

 

Symantec Data Center Security default hardening policy for Linux and UNIX servers provides advanced lockdown for the root account beyond the OS restrictions. In addition, DCS hardening policy allows you to respond to threats such as Pwnkit with easy configuration to prevent or limit the use of setuid applications in your environments. 

 

Following is an example on how to use DCS to set up authorized use of setuid programs and prevent exploitation of CVE-2021-4034 by non root users and processes. DCS file resource access controls can be configured to prevent use of pkexec and allow exceptions for selected trusted users or groups. 

 

In the UNIX prevention policy - 

• Prevent the launch of pkexec for all interactive users by adding the program to the No-Access File Resource List

               Resource Path: /usr/bin/pkexec

               Program Path: *

 

• Configure exceptions to allow trusted users to be able to use the pkexec program. If your organization does not use the pkexec program, you can skip this step.