A critical security vulnerability has been discovered in a very common Linux component called Polkit (formerly known as PolicyKit). The vulnerability is present in the default configuration of all major Linux distributions, as well as other distributions. If successfully exploited, the vulnerability could allow an actor to gain full root privileges on the system. Although Pitt Information Technology is not aware of attempts to exploit this vulnerability at the University, it is being actively exploited elsewhere.

Pitt IT recommends administrators prioritize applying the patches to all Linux systems. If a patch is not yet available for your Linux distribution, please evaluate the temporary mitigations referenced in the news articles below.

• Debian Advisory
• Red Hat Advisory
• Ubuntu Advisory:
• polkit Gitlab - Direct update (CVE-2021-4034)

Additional details about the vulnerability are available from the following news articles:

• Major Linux PolicyKit security vulnerability uncovered: Pwnkit (ZDNet)
• PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) (Qualys)

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.