720-891-1663
Return to list of client alerts
There are those who say that open source software is more secure than commercial software because anyone can look at the source code. This is a complete myth for a number of reasons. First 99.99% of people have no clue how to do that. Next, most open source software is maintained – if it is maintained at all – by a handful of people and finally, even if you look at the software and you are skilled, it does not mean that you will find a problem.
Case in point. A TWELVE YEAR OLD BUG was found in Polkit’s pkexec tool found in all major Linux distros.
Successful exploitation will give the attacker root access to the system.
Qualys researchers discovered the bug, not hackers, but that doesn’t mean that hackers were not aware of it; it has a CVSS score of 7.8. Now everyone knows about it.
Rob Joyce, long time NSA techie and now their cybersecurity director tweeted that the bug has him concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP or mitigate by changing permissions on the file (chmod 0755 /usr/bin/pkexec). Note that doing this will break the hack, but also, likely, break some software.
THERE ARE WORKING PROOF OF CONCEPTS IN THE WILD.
Credit: Threatpost