PwnKit, or how 12-year-old code can give root to unprivileged users

It looks like IT teams have no respite. Following all the hassles caused by log4j (and its variants), there is a new high profile, high-risk vulnerability making the rounds. CVE-2021-4034, or PwnKit if you’re into fancy CVE nicknames, is a polkit vulnerability that lets unprivileged users gain root privileges on basically any Linux system out there that has polkit installed.

TuxCare’s Extended Lifecycle Support team is preparing patches for all supported distributions, and they will be available for deployment soon. This post will be updated to reflect the actual availability for each distribution as it happens.

[NOTE: Patches are now available for Centos6, Oracle6, CL6, Ubuntu16, and Centos8.4. More to follow. You can track actual distribution support through the CVE dashboard here: https://cve.tuxcare.com/cve/CVE-2021-4034.]

Continue reading “PwnKit, or how 12-year-old code can give root to unprivileged users”