Security News
After adding a Polkit rule to permit our account to do "Root" stuff, # we get automatic, temporary authorisation to run as the root user... $ pkexec ls -l /etc/polkit-1/rules. Rules # And if we put no command and no username on the command line, pkexec # assumes that we want a shell, so it runs our preferred shell, # making us root until we exit back to the parent shell $ pkexec bash-5.1# id uid=0(root) gid=0(root) groups=0(root),... exit $ id uid=1042(duck) gid=1042(duck) groups=1042(duck),.... As well as checking its access control rules, pkexec also performs a range of other "Security hardening" operations before it runs your chosen command with added privileges.
A memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. While the vulnerability is not exploitable remotely and doesn't, in itself, allow arbitrary code execution, it can be used by attackers that have already gained a foothold on a vulnerable host to escalate their privileges and achieve that capability.
Linux vendors on Tuesday issued patches for a memory corruption vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration. Security vendor Qualys found the flaw and published details in a coordinated disclosure.
A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today. Researchers at Qualys information security company found that the pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS. They warn that PwnKit is likely exploitable on other Linux operating systems as well.
A vulnerability in Polkit's pkexec component that is present in the default configuration of all major Linux distributions can be exploited to gain full root privileges on the system, researchers warn today. Identified as CVE-2021-4034 and named PwnKit, the security issue has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.
Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers. CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
Cisco released a security update warning about a handful of vulnerabilities lurking in its networking technology, led by a critical bug in the company's StarOS debug services. Cisco pushed out a fix for its Cisco StarOS Software on Wednesday.
Cisco has fixed a critical security flaw discovered in the Cisco Redundancy Configuration Manager for Cisco StarOS Software during internal security testing. "A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container," Cisco said.
Umbrella company Parasol Group has confirmed why it shut down part of its IT last week: it found unauthorised activity from an intruder. Tech freelancers suspected a cyberattack was to blame for the blackout and sure enough the Group wrote to customers at the close of last working week to explain in more detail what had happened.
A local privilege escalation security vulnerability could allow attackers to gain root access on Ubuntu systems by exploiting a double-free memory corruption bug in GNOME's AccountsService component. The security flaw was accidentally spotted by GitHub security researcher Kevin Backhouse while testing an exploit demo for another AccountsService bug that also made it possible to escalate privileges to root on vulnerable devices.