Researchers at information security Qualys who discovered it also found that its origin goes back to the initial commit of pkexec, which means it impacts all Polkit versions. It has also been hiding in plain sight for more than 12 years since pkexec’s first release in May 2009.
Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit.
Qualys urged Linux admins to expedite securing vulnerable servers using the patches released by Polkit’s development team on their GitLab repository.
This is even more pressing given that, according to Qualys’ advisory, exploiting the PwnKit privilege escalation bug is possible without leaving traces on the compromised system.
Federal agencies ordered to patch within 3 weeks
The US cybersecurity agency also gave all Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts.
According to a binding operational directive (BOD 22-01) issued by CISA in November to reduce the risk of known exploited bugs across US federal networks, FCEB agencies must secure their systems against bugs added to the Known Exploited Vulnerabilities Catalog (KEV).
Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.
Following the agency’s advice should reduce the attack surface threat actors can target in attacks designed to compromise unpatched servers and breach vulnerable networks.
CISA has also urged government agencies and private sector orgs using Microsoft Exchange to expedite the switch from Basic Auth legacy authentication methods to Modern Auth alternatives.
FCEB agencies were also advised to block Basic auth after migrating to Modern Auth as it makes it harder for threat actors to pull off password spray and credential stuffing attacks.