CISA Warns of Active Exploitation of ‘PwnKit’ Linux Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
this week moved to add^[1]
a Linux vulnerability dubbed PwnKit to its
Known Exploited Vulnerabilities
Catalog^[2], citing evidence of
active exploitation.

The issue, tracked as CVE-2021-4034^[3]
(CVSS score: 7.8), came to light in January 2022 and concerns a
case of local privilege escalation^[4] in polkit’s pkexec
utility, which allows an authorized user to execute commands as
another user.

Polkit (formerly called PolicyKit) is a toolkit for controlling
system-wide privileges in Unix-like operating systems, and provides
a mechanism for non-privileged processes to communicate with
privileged processes.

Successful exploitation of the flaw could induce pkexec to
execute arbitrary code, granting an unprivileged attacker
administrative rights on the target machine and compromising the
host.

It’s not immediately clear how the vulnerability is being
weaponized in the wild, nor is there any information on the
identity of the threat actor that may be exploiting it.

Also included in the catalog is CVE-2021-30533^[5], a security shortcoming
in Chromium-based web browsers that was leveraged by a malvertising
threat actor dubbed Yosec to deliver dangerous payloads last
year.

Furthermore, the agency added the newly disclosed Mitel VoIP
zero-day (CVE-2022-29499^[6]) as well as five Apple iOS vulnerabilities^[7] (CVE-2018-4344,
CVE-2019-8605, CVE-2020-9907, CVE-2020-3837, and CVE-2021-30983)
that were recently uncovered as having been abused by Italian
spyware vendor RCS Lab.

To mitigate any potential risk of exposure to cyberattacks, it’s
recommended that organizations prioritize timely remediation of the
issues. Federal Civilian Executive Branch Agencies, however, are
required to mandatorily patch the flaw by July 18, 2022.