Security News > 2022 > January > Patch now: A newly discovered critical Linux vulnerability probably affects your systems

Dubbed PwnKit, it's been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges.

Heads up, Linux users: A newly discovered vulnerability in pretty much every major distro allows any unprivileged user to gain root access to their target, and it's been hiding in plain sight for 12 years.

The actual execution isn't very complicated, and Linux users with a good understanding of environment variables, user permissions and launching applications with arguments could feasibly craft an exploit that takes advantage of the PwnKit vulnerability.

The research team responsible for its discovery was able to develop an exploit and gain root access on default installations of Ubuntu, Debian, Fedora and CentOS. "Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009," Qualys director of vulnerability and threat research Bharat Jogi said in a post describing the discovery.

Pkexec is used legitimately to run Linux applications as another user, which is an incredibly common thing to do, especially for Linux administrators and users who need to run a particular program without having an administrator account.

In some instances of OEM-distributed Linux systems the vulnerability may still be present, or it may be more complicated to patch the affected machine, so contact your vendors to ensure you're getting necessary patches.

News URL

https://www.techrepublic.com/article/patch-now-a-newly-discovered-critical-linux-vulnerability-probably-affects-your-systems/#ftag=RSS56d97e7