StarlingX

CVE-2021-4034 polkit privilege escalation

Bug #1960087 reported by Joe Slater on 2022-02-04

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Joe Slater

Bug Description

pkexec can be used to gain root access by passing no arguments to it and crafting the environment.
Details of this exploit have not been made available.

A workaround is to clear the SUID bit for pkexec.

References - https://access.redhat.com/security/cve/CVE-2021-4034
https://nvd.nist.gov/vuln/detail/CVE-2021-4034
https://lists.centos.org/pipermail/centos-announce/2022-January/073552.html

Tags:

CVE References

2021-4034

Joe Slater (jslater0wind) on 2022-02-04

Changed in starlingx:
assignee:	nobody → Joe Slater (jslater0wind)

Ghada Khalil (gkhalil) on 2022-02-05

tags:	added: stx.security
Changed in starlingx:
importance:	Undecided → Medium
tags:	added: stx.7.0
Changed in starlingx:
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-07: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/828180

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-09: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/828180
Committed: https://opendev.org/starlingx/tools/commit/6d7ab17023dc57bf86e78bd3c98b0ba05e1040f6
Submitter: "Zuul (22348)"
Branch: master

commit 6d7ab17023dc57bf86e78bd3c98b0ba05e1040f6
Author: Joe Slater <email address hidden>
Date: Mon Feb 7 13:21:38 2022 -0500

polkit: fix CVE-2021-4034 polkit privilege escalation

    pkexec always assumes there is at least one argument, which can be
    exploited by crafting the environment and calling it with no
    arguments. No specific exploit has been published.

Update to polkit-0.112-26.el7_9.1.

    == testing ==
    We just want to see if pkexec stills works.
    build and install an iso, then

    $ sudo pkexec --user puppet id
    Password: # enter sysadmin password
    uid=52(puppet) gid=52(puppet) groups=52(puppet)
    $
    ====

    Closes-bug: 1960087
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I267e29d90e75dc772e17f0b5866850b4bb5ac3d2

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2022-03-14

information type:

Public → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.