Transparently Patching PWNKIT with Ksplice

January 28, 2022 | 4 minute read
Text Size 100%:

Several days ago, CVE-2021-4034 was reported by the Qualys Research Team who uncovered a vulnerability in pkexec allowing unprivileged users to gain root privilege. This vulnerability was code named ‘PWNKIT’ and their blog is an excellent description into how the vulnerability operates. This vulnerability was patched in Oracle Linux in the following advisories for OL 8, OL 7, OL 6, and Oracle VM. Although the vulnerability is not in the Linux kernel, the Ksplice team was able to write a kernel patch to ensure that users would be patched without any operator intervention on affected systems, and to log attempted exploitation via Ksplice Exploit Detection.

Transparently patching vulnerabilities with Ksplice

Ksplice allows Oracle Linux users to patch security vulnerabilities without downtime on their systems. We have Ksplice technology for the Linux kernel and for key operating system libraries to allow long running processes to be updated without restarting.

However, the kernel and key libraries are not the only attack surface that receive exploits and vulnerabilities, and occasionally we are able to use the kernel patch technology to patch vulnerabilities outside of the kernel. We tend to reserve this behavior for high consequence vulnerabilities, and these opportunities are not common, but this week we were able to use Ksplice technology to patch a well publicized vulnerability in pkexec without requiring any user intervention.

Fortunately the mitigation for the vulnerability was as simple as doing chmod on the file to remove the SUID bit, but this still would leave many systems open to attack as that command has to be executed by a system administrator. We wanted to be able to patch this transparently, so that users would be secure against such an attack without having to make any manual intervention at all.

Ksplice developers are part of the Oracle Linux security team, and when they saw this vulnerability come across the responsible disclosures mailing list, we started working on a patch for Oracle Linux, but also realized that the necessary preconditions to exploiting this vulnerability would be visible to the kernel, and that we might have the opportunity to transparently fix the problem. Although this is not a vulnerability in the Linux Kernel, the kernel is part of the attack (executing the binary) and therefore could be used to prevent the attack as well.

It should be noted that not every userspace attack can be prevented from the kernel, and that this is something we reserve only for particularly high impact vulnerabilities. We looked into this kind of solution a few weeks ago when a particularly high profile logging vulnerability was exposed, but in that case, at least from the perspective of the kernel and operating system, the exploit behavior was indistinguishable from normal operation of that code since it was exploiting otherwise correct behavior.

Stopping a Userspace attack with Ksplice

The conditions required to execute the PWNKIT attack can be detected by the kernel. A valid call to pkexec, when run from the shell, has a different fingerprint than this attack, which uses a specially crafted syscall using execve*() to exploit the vulnerability. In this case, we can detect that the user is calling a SUID root-owned program as a non-root user, and that the program is pkexec, and we simply prevent the system from running that binary. As an added benefit, we can also plumb this attack into the Ksplice Exploit Detection to log the active attack and ensure that operators are aware of the ongoing attack.

Benefits of using a Kernel Ksplice to stop a userspace attack

Using Ksplice to patch this userspace vulnerability from the kernel provides two significant benefits to end users. First, Ksplice Exploit Detection allows operators to detect attacks in progress in a way that the chmod solution would not. More importantly, the Ksplice solution is deployed via our Ksplice online update model, which pushes out security fixes to users without manual intervention. Because of this, many systems were secured from the vulnerability within hours of the vulnerability becoming publicized.

By using the kernel to intercept this attack, we are also able to log that the attack occurred. The suggested mitigation, removing the SUID bit from pkexec, achieves the same goal of preventing the attack, but doesn’t provide the additional side effect of allowing the attack to be detected – since once the SUID bit is removed, there’s no trace of the attack attempt. Using the kernel means we can report the attack in progress. This is the value proposition for Ksplice Exploit Detection: while preventing attacks can be as simple as adding a bounds check or null terminator, once the attack vector is fixed there is also no trace that the attack occurred since the attack will look like normal system operation. Ksplice allows us to both block the attack and also to log the attack.

Ksplice updates also apply without user intervention required. While the manual steps required to close off this attack vector are trivial for privileged users, it still requires an RPM update or specific action by the operator. By applying this patch via Ksplice, this patch would be automatically installed and enabled, solving the problem without user intervention. This allowed a large segment of our Ksplice user base to be patched within hours of the vulnerability being published, and without requiring any intervention by the systems administrators.

Use Ksplice and Oracle Linux to keep your systems secure

Ksplice allows users to patch kernel vulnerabilities without downtime, and provides mechanisms to detect and alert on unsuccessful attempts to exploit security vulnerabilities. In the case of ‘PWNKIT’ we were able to use Ksplice kernel patching to intercept and prevent this root privilege escalation, and to use the Ksplice online update framework to transparently push this out to Ksplice users, patching those systems without user intervention.

The Ksplice team often has to deal with kernel internals to enable live patching and to come up with creative solutions to improve security for our customers. If this kind of work sounds interesting to you, consider applying for a job with the Ksplice team! Feel free to drop us a line at

Greg Marsden

Previous Post

The Freezing of tasks in the Linux kernel and how it's used by Ksplice

Gregory Herrero | 24 min read

Next Post

Don’t miss the semi-annual State of the Penguin address

Peter Laudenslager | 2 min read