Pwnkit privilege escalation attempt
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect exploitation of CVE-2021-4034 dubbed PwnKit.
Strategy
PwnKit is a local privilege escalation vulnerability originally found by Qualys. It affects PolicyKit’s pkexec
program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever pkexec
is executed by a non-root process with the SHELL
and PATH
variables set.
Triage and response
- Determine the purpose of the process executing
pkexec
. - Look for any suspicious actions or commands being executed after the
pkexec
execution. - If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
- Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on
pkexec
with the following command: sudo chmod -s \$(which pkexec)
.
Requires Agent version 7.27 or greater