CVE-2021-4034: Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
First published: Tue Nov 23 2021(Updated: )
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/polkit | <0:0.96-11.el6_10.2 | 0:0.96-11.el6_10.2 |
| redhat/polkit | <0:0.112-26.el7_9.1 | 0:0.112-26.el7_9.1 |
| redhat/polkit | <0:0.112-12.el7_3.1 | 0:0.112-12.el7_3.1 |
| redhat/polkit | <0:0.112-12.el7_4.2 | 0:0.112-12.el7_4.2 |
| redhat/polkit | <0:0.112-18.el7_6.3 | 0:0.112-18.el7_6.3 |
| redhat/polkit | <0:0.112-22.el7_7.2 | 0:0.112-22.el7_7.2 |
| redhat/polkit | <0:0.115-13.el8_5.1 | 0:0.115-13.el8_5.1 |
| redhat/polkit | <0:0.115-9.el8_1.2 | 0:0.115-9.el8_1.2 |
| redhat/polkit | <0:0.115-11.el8_2.2 | 0:0.115-11.el8_2.2 |
| redhat/polkit | <0:0.115-11.el8_4.2 | 0:0.115-11.el8_4.2 |
| redhat/redhat-virtualization-host | <0:4.3.21-20220126.0.el7_9 | 0:4.3.21-20220126.0.el7_9 |
| Polkit | ||
| Ubuntu Polkit Daemon | <121 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =7.6 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =7.7 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server EUS | =8.2 | |
| Red Hat Enterprise Linux for IBM Z Systems | =7.0 | |
| Red Hat Enterprise Linux for IBM Z Systems | =8.0 | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.2 | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.4 | |
| Red Hat Enterprise Linux for Power, big endian | =7.0 | |
| Red Hat Enterprise Linux for Power, little endian | =7.0 | |
| Red Hat Enterprise Linux for Power, little endian | =8.0 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.1 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.2 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.4 | |
| Red Hat Enterprise Linux for Scientific Computing | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Server | =8.2 | |
| Red Hat Enterprise Linux Server | =8.4 | |
| Red Hat Enterprise Linux Server | =8.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Server | =8.2 | |
| Red Hat Enterprise Linux Server | =8.4 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.1 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.2 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.4 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| Ubuntu Linux | =21.10 | |
| SUSE Enterprise Storage | =7.0 | |
| SUSE Linux Enterprise High Performance Computing | =15.0-sp2 | |
| SUSE Manager Proxy | =4.1 | |
| SUSE Manager | =4.1 | |
| SUSE Linux Enterprise Desktop | =15-sp2 | |
| SUSE Linux Enterprise Server | =15-sp2 | |
| SUSE Linux Enterprise Server | =15-sp2 | |
| SUSE Linux Workstation Extension | =12-sp5 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle Storage Cloud Software Appliance | =8.8 | |
| Siemens Sinumerik Edge | <3.3.0 | |
| All of | ||
| Siemens Scalance LPE9403 Firmware | <2.0 | |
| Siemens Scalance LPE9403 Firmware | ||
| StarWind Command Center | =1.0-update3_build5871 | |
| StarWind Virtual SAN | =v8-build14338 | |
| Siemens Scalance LPE9403 Firmware | <2.0 | |
| Siemens Scalance LPE9403 Firmware | ||
| StarWind HyperConverged Appliance |
Remedy
For customers who cannot update immediately and doesn't have Secure Boot feature enabled, the issue can be mitigated by executing the following steps: 1) Install required systemtap packages and dependencies as per - pointed by https://access.redhat.com/solutions/5441 2) Install polkit debug info: ~~~ debuginfo-install polkit ~~~ 3) Create the following systemtap script, and name it pkexec-block.stp: ~~~ probe process("/usr/bin/pkexec").function("main") { if (cmdline_arg(1) == "") raise(9); } ~~~ 4) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_pkexec_block pkexec_block.stp ~~~ 5) Ensure the module is loaded: ~~~ lsmod | grep -i stap_pkexec_block stap_pkexec_block 434176 0 ~~~ 6) Once polkit package was updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_pkexec_block ~~~ This mitigation doesn't work for Secure Boot enabled system as SystemTap would require an external compiling server to be able to sign the generated kernel module with a key enrolled into the Kernel's keyring.
Remedy
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-4034 https://nvd.nist.gov/vuln/detail/CVE-2021-4034 https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=2025869
- https://access.redhat.com/errata/RHSA-2022:0269
- https://access.redhat.com/errata/RHSA-2022:0274
- https://access.redhat.com/errata/RHSA-2022:0270
- https://access.redhat.com/errata/RHSA-2022:0272
- https://access.redhat.com/errata/RHSA-2022:0271
- https://access.redhat.com/errata/RHSA-2022:0273
- https://access.redhat.com/errata/RHSA-2022:0267
- https://access.redhat.com/errata/RHSA-2022:0268
- https://access.redhat.com/errata/RHSA-2022:0265
- https://access.redhat.com/errata/RHSA-2022:0266
- https://access.redhat.com/errata/RHSA-2022:0443
- https://access.redhat.com/errata/RHSA-2022:0540
- https://access.redhat.com/security/cve/cve-2021-4034
- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
- https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
- https://www.starwindsoftware.com/security/sw-20220818-0001/
- https://www.suse.com/support/kb/doc/?id=000020564
- https://nvd.nist.gov/vuln/detail/CVE-2021-4034
- https://www.bleepingcomputer.com/news/security/linux-malware-perfctl-behind-years-long-cryptomining-campaign/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2045563
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2046038
- https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-4034?
CVE-2021-4034 is considered a high severity vulnerability that allows for local privilege escalation.
How do I fix CVE-2021-4034?
To fix CVE-2021-4034, update the polkit package to a version that is patched, such as 0:0.96-11.el6_10.2 or higher for Red Hat systems.
What causes CVE-2021-4034?
CVE-2021-4034 is caused by an out-of-bounds read and write vulnerability within the pkexec utility of the polkit package.
Which systems are affected by CVE-2021-4034?
CVE-2021-4034 affects multiple versions of Red Hat Enterprise Linux and systems using the polkit package, particularly versions prior to the fix releases.
Can CVE-2021-4034 be exploited remotely?
No, CVE-2021-4034 requires local access to exploit, as it involves privilege escalation using a setuid tool.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/title
- agent/severity
- agent/weakness
- agent/description
- agent/remedy
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2023-33246
- alias/CVE-2021-4034
- alias/CVE-2021-4043
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/trending
- agent/source
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/nvd-index
- package-manager/redhat
- vendor/red hat
- canonical/polkit
- vendor/polkit project
- canonical/ubuntu polkit daemon
- vendor/redhat
- canonical/red hat enterprise linux server update services for sap solutions
- version/red hat enterprise linux server update services for sap solutions/7.6
- version/red hat enterprise linux server update services for sap solutions/7.7
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/8.2
- canonical/red hat enterprise linux for ibm z systems
- version/red hat enterprise linux for ibm z systems/7.0
- version/red hat enterprise linux for ibm z systems/8.0
- canonical/red hat enterprise linux for ibm z systems (s390x)
- version/red hat enterprise linux for ibm z systems (s390x)/8.2
- version/red hat enterprise linux for ibm z systems (s390x)/8.4
- canonical/red hat enterprise linux for power, big endian
- version/red hat enterprise linux for power, big endian/7.0
- canonical/red hat enterprise linux for power, little endian
- version/red hat enterprise linux for power, little endian/7.0
- version/red hat enterprise linux for power, little endian/8.0
- canonical/red hat enterprise linux for power, little endian - extended update support
- version/red hat enterprise linux for power, little endian - extended update support/8.1
- version/red hat enterprise linux for power, little endian - extended update support/8.2
- version/red hat enterprise linux for power, little endian - extended update support/8.4
- canonical/red hat enterprise linux for scientific computing
- version/red hat enterprise linux for scientific computing/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.6
- version/red hat enterprise linux server/7.7
- version/red hat enterprise linux server/8.2
- version/red hat enterprise linux server/8.4
- version/red hat enterprise linux server update services for sap solutions/8.1
- version/red hat enterprise linux server update services for sap solutions/8.2
- version/red hat enterprise linux server update services for sap solutions/8.4
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- version/ubuntu linux/21.10
- vendor/suse
- canonical/suse enterprise storage
- version/suse enterprise storage/7.0
- canonical/suse linux enterprise high performance computing
- version/suse linux enterprise high performance computing/15.0-sp2
- canonical/suse manager proxy
- version/suse manager proxy/4.1
- canonical/suse manager
- version/suse manager/4.1
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/15-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/15-sp2
- canonical/suse linux workstation extension
- version/suse linux workstation extension/12-sp5
- vendor/oracle
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle storage cloud software appliance
- version/oracle storage cloud software appliance/8.8
- vendor/siemens
- canonical/siemens sinumerik edge
- canonical/siemens scalance lpe9403 firmware
- vendor/starwindsoftware
- canonical/starwind command center
- version/starwind command center/1.0-update3_build5871
- canonical/starwind virtual san
- version/starwind virtual san/v8-build14338
- canonical/starwind hyperconverged appliance