CVE-2021-4034 PolKit Vulnerability
CVE-2021-4034 is a new vulnerability detected in PolKit, a component for controlling system-wide privileges in Unix-like operating systems.
The vulnerability was discovered in Polkit’s pkexec, a SUID-root program installed by default on every major Linux distribution. The discovery belongs to Qualys researchers.
In terms of its potential impact, the vulnerability could allow unprivileged users to gain root privileges on the exposed system. The issue has been verified independently, and an exploit has been developed as well. The following Linux distributions are affected:
However, according to Qualys, “other Linux distributions are likely vulnerable and probably exploitable”. What is staggering in this case is that CVE-2021-4034 has been “hiding in plain sight for 12+ years,” affecting all versions of pkexec since its initial version released in May 2009.
More technical details are available in the official security advisory.
In June 2021, another years-old PolKit vulnerability was discovered. Identified as CVE-2021-3560, the flaw appeared to have been around for at least seven years.