CVE-2011-4945 in PolicyKit
Summary
by MITRE
PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which allows local users in the wheel group to gain root privileges without authentication.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/14/2021
The vulnerability described in CVE-2011-4945 represents a critical privilege escalation flaw within the PolicyKit authentication framework version 0.103. PolicyKit serves as a system-wide authorization framework that controls access to system resources and administrative functions across Unix-like operating systems. The default configuration of this framework included a critical misconfiguration where the AdminIdentities parameter was set to "wheel" group membership, effectively granting unrestricted root access to any user who belonged to the wheel group. This design flaw fundamentally undermined the security model of the system by removing the authentication barrier that should normally be required to execute administrative commands.
The technical nature of this vulnerability stems from the default policy configuration rather than a code execution flaw or buffer overflow. When PolicyKit processes administrative requests, it checks the AdminIdentities parameter to determine who can perform privileged operations. By defaulting this setting to "wheel", the system assumed that all members of this group were authorized administrators without requiring additional authentication mechanisms such as password verification or two-factor authentication. This misconfiguration created a persistent backdoor that allowed local users to escalate their privileges to root level simply by being part of the wheel group, bypassing all normal authentication procedures that should protect system integrity.
The operational impact of this vulnerability is severe and far-reaching across multiple attack vectors and system configurations. Local attackers who gain membership in the wheel group can immediately execute any administrative command without additional verification, potentially leading to complete system compromise. This vulnerability affects systems where PolicyKit is deployed as the primary authorization framework, which includes most modern Linux distributions and Unix-based systems. The implications extend beyond simple privilege escalation, as attackers can modify system files, install malicious software, manipulate user accounts, and potentially establish persistent access points within the compromised system.
Security practitioners should address this vulnerability through immediate configuration changes that restrict the AdminIdentities parameter to only explicitly trusted users or groups. The recommended mitigation involves modifying the PolicyKit configuration files to either remove the wheel group from administrative identities or implement additional authentication requirements for wheel group members. Organizations should conduct comprehensive audits to identify all systems running PolicyKit 0.103 or earlier versions and ensure proper configuration management practices are in place. This vulnerability aligns with CWE-284, which addresses improper access control, and represents a classic example of excessive privilege assignment that violates the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and can be leveraged as a foundational foothold for further system compromise, potentially enabling lateral movement and persistence within compromised environments.