惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
S
SegmentFault 最新的问题
D
DataBreaches.Net
博客园_首页
罗磊的独立博客
B
Blog
T
Threat Research - Cisco Blogs
C
Cisco Blogs
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
WordPress大学
WordPress大学
G
GRAHAM CLULEY
H
Help Net Security
酷 壳 – CoolShell
酷 壳 – CoolShell
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
爱范儿
爱范儿
SecWiki News
SecWiki News
T
Threatpost
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Schneier on Security
Schneier on Security
T
The Exploit Database - CXSecurity.com
Google Online Security Blog
Google Online Security Blog
T
Tor Project blog
小众软件
小众软件
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Y
Y Combinator Blog
H
Hacker News: Front Page
V
V2EX
Security Latest
Security Latest
Cloudbric
Cloudbric
Simon Willison's Weblog
Simon Willison's Weblog
Attack and Defense Labs
Attack and Defense Labs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
博客园 - 三生石上(FineUI控件)
NISL@THU
NISL@THU
S
Secure Thoughts
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
P
Palo Alto Networks Blog
IT之家
IT之家
MyScale Blog
MyScale Blog
有赞技术团队
有赞技术团队
Application and Cybersecurity Blog
Application and Cybersecurity Blog
D
Docker
Google DeepMind News
Google DeepMind News
Webroot Blog
Webroot Blog

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
The PwnKit vulnerability: Overview, detection, and remediation
Zack Allen, Christophe Tafani-Dereeper, Matt Mills · 2022-01-28 · via Datadog | The Monitor blog

On January 25, 2022, Qualys announced the discovery of a local privilege escalation vulnerability that it identified as PwnKit. The PwnKit vulnerability affects PolicyKit’s pkexec, a SUID-root program installed by default on many Linux distributions. The same day of the announcement, a proof of concept (PoC) exploit was built and published by the security research community. Qualys claims that this vulnerability is present on default installations of major Linux distributions such as Ubuntu, Debian, Fedora, and CentOS. According to CVETrends for the week of January 24, 2022, PwnKit has the most engagement on social media by vulnerability.

Datadog Security Research has verified this exploit using publicly available PoCs. We are releasing our analysis and coverage for Datadog Workload Protection customers to help detect this exploit being used on production environments.

Key points and observations

  • November 18, 2021: Qualys discovers this vulnerability and informs Red Hat of their research

  • January 11, 2022: Qualys sends an advisory and patch to distros@openwall

  • January 25, 2022: On the day of the coordinated release date, PoCs for the exploit begin circulating across code sharing sites and social media

  • January 25, 2022: Datadog begins investigating the vulnerability and publicly available exploits. Our security research team initiates our rapid response process to provide coverage to Datadog customers

  • January 25, 2022: Red Hat assigns the vulnerability (nicknamed “PwnKit”), a CVSS score of 7.8/10

Due to this vulnerability’s low barrier to entry, its widespread scope, and its default installation across many Linux distributions, it is likely that attackers will use it in order to gain a privileged foothold on production and cloud workload environments.

Check if your system is vulnerable

If PolicyKit is not installed on your operating system, you are not affected by this vulnerability. Unfortunately, PolicyKit is installed by default in most major Linux distributions except Debian.

Major Linux distributions have released dedicated security bulletins to help mitigate the vulnerability:

Ubuntu

Security notice for Ubuntu 18.04, 20.04, and 21.10

Security notice for end-of-support Ubuntu versions 14.04 and 16.04

You can use dpkg -s policykit-1 to see the currently installed PolicyKit version. The table below summarizes the last vulnerable PolicyKit version along with the first fixed one. Note that to patch a system running Ubuntu 14.04 LTS (Trusty) or Ubuntu 16.04 LTS (Xenial), you need to be subscribed to Canonical’s Extended Security Maintenance service, as these distributions are no longer supported.

Ubuntu versionLatest vulnerable versionFirst fixed version
14.04 LTS (Trusty)0.105-4ubuntu3.14.04.60.105-4ubuntu3.14.04.6+esm1
16.04 LTS (Xenial)0.105-14.1ubuntu0.50.105-14.1ubuntu0.5+esm1
18.04 LTS (Bionic)0.105-200.105-20ubuntu0.18.04.6
20.04 LTS (Focal)0.105-26ubuntu1.10.105-26ubuntu1.2

Debian

See Debian’s security notice here.

Contrary to other distributions, PolicyKit is not installed by default on Debian. However, it is a dependency of several popular packages, such as network-manager, gparted, and firewalld. You can use dpkg -s policykit-1 to verify the version.

Debian versionLatest vulnerable versionFirst fixed version
Stretch0.105-18+deb9u10.105-18+deb9u2
Buster0.105-250.105-25+deb10u1
Bullseye0.105-310.105-31+deb11u1
(unstable)0.105-31.1~deb12u10.105-31.1

CentOS / Fedora / RHEL

See Red Hat’s security notice here.

The RHEL advisory contains additional, specific mitigation measures that can be applied to CentOS/Fedora-based systems.

Cloud Images

See AWS’s security notice here.

PolicyKit is not installed by default on Amazon Linux 2.

On most systems, updating the PolicyKit package (policykit-1 on Debian-based systems, polkit on CentOS/Fedora-based systems) to its latest version mitigates the vulnerability. When updating is not feasible, you can remove the SUID bit that is set by default on the PolicyKit binary, pkexec:

#Remove the SUID bit on the PolicyKit binary

sudo chmod -s $(which pkexec)

How the PwnKit vulnerability works

Several working proof-of-concept exploits and demo environments are publicly available, which likely increases potential attackers’ awareness of the vulnerability.

PolicyKit is a software that allows you to define interfaces for unprivileged processes to interact with highly privileged ones. Because of this, its executable is owned by the root user and has the SUID bit set. This makes it an attractive target, similar to other tooling like the sudo utility.

The PwnKit vulnerability allows users to run the PolicyKit executable pkexec, passing it a specific set of environment variables that cause an arbitrary library file to be loaded. As a consequence, an underprivileged attacker can invoke PolicyKit and trick it into executing an attacker-controlled .so file on the local file system. Upon successful exploitation, the attacker is able to escalate from a user with limited privileges to a user with root access.

How Datadog can help

Datadog Workload Protection monitors file and process activity in real time at the kernel level. We released the following detection rule to automatically identify exploitation attempts of the vulnerability:

(exec.file.path == "/usr/bin/pkexec" && exec.envs in [~"*SHELL*","*PATH*",”*CHARSET*”] && exec.uid != 0)

This detection monitors executions of the PolicyKit binary by underprivileged users with the environment variables SHELL, PATH, and CHARSET, which are needed to trigger the vulnerability. This detection is available in Datadog today; to ensure coverage, make sure you’re using the latest Datadog Agent and have deployed the latest CWS policy.

For more information, see Workload Security Event Types.

Conclusion

PwnKit is a significant vulnerability because it provides attackers an easy-to-use local privilege escalation in Linux infrastructure. However, the risks and disruptions can be mitigated through a defense-in-depth security approach. Datadog customers can enable Workload Protection today to get immediate defense at the runtime level by detecting the exploitation in real time. Additionally, when running workloads on Linux in production, consider minimizing the potential attack-surface by:

  1. Only installing software that is required to run your workload.

  2. If you are running containerized workloads, consider using a minimal Linux distribution such as Alpine Linux, Amazon Bottlerocket, or Container-Optimized OS.

Securing your production environment is a continuous journey, and doesn’t stop after you’ve mitigated this newest vulnerability. For a more holistic security approach, you can check out Datadog Security and start a free 14-day trial today.

Acknowledgments

Thank you to Nick Davis, Sylvain Afchain, and Guillaume Fournier, all of whom contributed to the making of this post.