CVE-2021-4034 (PwnKit)

Posted by: mstauber Category: General

A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warned today.

CVE-2021-4034 has been named PwnKit and its origin has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo.

Easy to exploit, PoC expected soon

Researchers at Qualys information security company found that the pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.

They warn that PwnKit is likely exploitable on other Linux operating systems as well.

More information: Here

Mitigation and Security Fixes

Running the command ...

chmod 0755 /usr/bin/pkexec

... as "root" removes the SUID-bit from /usr/bin/pkexec and mitigates the issue until upstream (CentOS, AlmaLinux, etc.) release updated "polkit" RPMs that permanently fix the issue.

For BlueOnyx and Aventurin{e} we have released a hotfix (wrapped into the "swatch" RPM) that does this for you. It removes the SUID-flag from /usr/bin/pkexec unless a fixed "polkit" RPM is eventually released. Be sure to fully "yum update" your BlueOnyx and Aventurin{e} servers!

Below is a list of available hotfixes and updates listed by platforms:

Aventurin{e} 6109R

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5210R

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5209R

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5207R/5208R (EOL!)

Despite CentOS 6 and SL6 being EOL for quite a while now, there are still substantial numbers of BlueOnyx 5207R/5208R servers around. As "yum update" on them is broken since the upstream repositories went away, a YUM update could not be provided in a sensible fashion. Therefore we released an updated "polkit" RPM (built from the Red Hat Enterprise Linux Server 6 - Extended Life Cycle Support Errata page SRPM) as PKG file. You can download and install this in the GUI via NewLinQ. The PKG is named "Polkit". The "Polkit" PKG is available to you on BlueOnyx 5207R and BlueOnyx 5208R even if you do not have any ongoing NewLinQ subscription.

As noted above: Release of this fix as a PKG was only needed for BlueOnyx 5207R/5208R. Installation of this PKG also unties your BlueOnyx 5207R/5208R from the CentOS 6 and/or Scientific Linux 6 YUM repositories and ties it into vault.centos.org, which will at least restore YUM to basic working order for future emergency YUM updates against the BlueOnyx YUM repositories.

To ensure safe operation of your BlueOnyx and Aventurin{e} servers please make sure to have all updates installed.


Return
General
Jan 25, 2022 Category: General Posted by: mstauber