SECURITY ALERT -- BBAI owners ONLY (Debian 9): /usr/bin/pkexec exploit

For BeagleBone-AI based Kiwis running Debian 9 (ONLY)


From the admin page, console tab, or from an ssh connection to your Kiwi logged in as root, type:

chmod 755 /usr/bin/pkexec

This removes the "set user ID" (SUID) bit from the file permissions. pkexec is not used for anything Kiwi-related, so it doesn't matter.


Do a package upgrade to get the latest Debian 9 security fixes. From a root connection as above, type:



Note that libpolkit and policykit should appear in the output from the pkug command:

The following packages will be upgraded:

 bb-customizations libnss3 libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0 libqt5svg5 liburiparser1 libxfont2 policykit-1

It's not 100% clear that the above upgrade actually fixes the problem. So also do:

chmod 755 /usr/bin/pkexec


Regular BeagleBone Green / Black Kiwis (the vast majority of them) running Debian 8 are not effected (pkexec doesn't exist).

The recent experimental Debian 10 Kiwi release is not effected (pkexec doesn't exist). But might as well do a pkup pkug as above to get the most recent security patches.

More information:

Sign In or Register to comment.