CVE-2021-4034: Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
First published: Tue Nov 23 2021(Updated: )
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/polkit | <0:0.96-11.el6_10.2 | 0:0.96-11.el6_10.2 |
| redhat/polkit | <0:0.112-26.el7_9.1 | 0:0.112-26.el7_9.1 |
| redhat/polkit | <0:0.112-12.el7_3.1 | 0:0.112-12.el7_3.1 |
| redhat/polkit | <0:0.112-12.el7_4.2 | 0:0.112-12.el7_4.2 |
| redhat/polkit | <0:0.112-18.el7_6.3 | 0:0.112-18.el7_6.3 |
| redhat/polkit | <0:0.112-22.el7_7.2 | 0:0.112-22.el7_7.2 |
| redhat/polkit | <0:0.115-13.el8_5.1 | 0:0.115-13.el8_5.1 |
| redhat/polkit | <0:0.115-9.el8_1.2 | 0:0.115-9.el8_1.2 |
| redhat/polkit | <0:0.115-11.el8_2.2 | 0:0.115-11.el8_2.2 |
| redhat/polkit | <0:0.115-11.el8_4.2 | 0:0.115-11.el8_4.2 |
| redhat/redhat-virtualization-host | <0:4.3.21-20220126.0.el7_9 | 0:4.3.21-20220126.0.el7_9 |
| Red Hat Polkit | ||
| Polkit Project Polkit | <121 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =7.6 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =7.7 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =8.2 | |
| Redhat Enterprise Linux For Ibm Z Systems | =7.0 | |
| Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =8.2 | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =8.4 | |
| Redhat Enterprise Linux For Power Big Endian | =7.0 | |
| Redhat Enterprise Linux For Power Little Endian | =7.0 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.1 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.2 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.4 | |
| Redhat Enterprise Linux For Scientific Computing | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Server Aus | =8.2 | |
| Redhat Enterprise Linux Server Aus | =8.4 | |
| Redhat Enterprise Linux Server Eus | =8.4 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.7 | |
| Redhat Enterprise Linux Server Tus | =8.2 | |
| Redhat Enterprise Linux Server Tus | =8.4 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.1 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.2 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.4 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =21.10 | |
| SUSE Enterprise Storage | =7.0 | |
| SUSE Linux Enterprise High Performance Computing | =15.0-sp2 | |
| Suse Manager Proxy | =4.1 | |
| SUSE Manager Server | =4.1 | |
| SUSE Linux Enterprise Desktop | =15-sp2 | |
| SUSE Linux Enterprise Server | =15-sp2 | |
| Suse Linux Enterprise Server Sap | =15-sp2 | |
| Suse Linux Enterprise Workstation Extension | =12-sp5 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Siemens Sinumerik Edge | <3.3.0 | |
| Siemens Scalance Lpe9403 Firmware | <2.0 | |
| Siemens Scalance Lpe9403 | ||
| Starwindsoftware Command Center | =1.0-update3_build5871 | |
| Starwindsoftware Starwind Hyperconverged Appliance | ||
| Starwindsoftware Starwind Virtual San | =v8-build14338 |
Remedy
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Remedy
For customers who cannot update immediately and doesn't have Secure Boot feature enabled, the issue can be mitigated by executing the following steps: 1) Install required systemtap packages and dependencies as per - pointed by https://access.redhat.com/solutions/5441 2) Install polkit debug info: ~~~ debuginfo-install polkit ~~~ 3) Create the following systemtap script, and name it pkexec-block.stp: ~~~ probe process("/usr/bin/pkexec").function("main") { if (cmdline_arg(1) == "") raise(9); } ~~~ 4) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_pkexec_block pkexec_block.stp ~~~ 5) Ensure the module is loaded: ~~~ lsmod | grep -i stap_pkexec_block stap_pkexec_block 434176 0 ~~~ 6) Once polkit package was updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_pkexec_block ~~~ This mitigation doesn't work for Secure Boot enabled system as SystemTap would require an external compiling server to be able to sign the generated kernel module with a key enrolled into the Kernel's keyring.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
- https://bugzilla.redhat.com/show_bug.cgi?id=2025869
- https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
- https://www.starwindsoftware.com/security/sw-20220818-0001/
- https://www.suse.com/support/kb/doc/?id=000020564
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2045563
- https://access.redhat.com/errata/RHSA-2022:0265
- https://access.redhat.com/errata/RHSA-2022:0268
- https://access.redhat.com/errata/RHSA-2022:0266
- https://access.redhat.com/errata/RHSA-2022:0267
- https://access.redhat.com/errata/RHSA-2022:0269
- https://access.redhat.com/errata/RHSA-2022:0270
- https://access.redhat.com/errata/RHSA-2022:0272
- https://access.redhat.com/errata/RHSA-2022:0271
- https://access.redhat.com/errata/RHSA-2022:0273
- https://access.redhat.com/errata/RHSA-2022:0274
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2046038
- https://access.redhat.com/errata/RHSA-2022:0443
- https://access.redhat.com/errata/RHSA-2022:0540
- https://access.redhat.com/security/cve/cve-2021-4034
- https://www.cve.org/CVERecord?id=CVE-2021-4034 https://nvd.nist.gov/vuln/detail/CVE-2021-4034 https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-4034
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/title
- agent/severity
- agent/remedy
- agent/weakness
- agent/references
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/red hat
- canonical/red hat polkit
- vendor/polkit project
- canonical/polkit project polkit
- vendor/redhat
- canonical/redhat enterprise linux server update services for sap solutions
- version/redhat enterprise linux server update services for sap solutions/7.6
- version/redhat enterprise linux server update services for sap solutions/7.7
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.2
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/7.0
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/8.2
- version/redhat enterprise linux for ibm z systems eus/8.4
- canonical/redhat enterprise linux for power big endian
- version/redhat enterprise linux for power big endian/7.0
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/7.0
- version/redhat enterprise linux for power little endian/8.0
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/8.1
- version/redhat enterprise linux for power little endian eus/8.2
- version/redhat enterprise linux for power little endian eus/8.4
- canonical/redhat enterprise linux for scientific computing
- version/redhat enterprise linux for scientific computing/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- version/redhat enterprise linux server aus/8.2
- version/redhat enterprise linux server aus/8.4
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/8.4
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- version/redhat enterprise linux server tus/8.2
- version/redhat enterprise linux server tus/8.4
- version/redhat enterprise linux server update services for sap solutions/8.1
- version/redhat enterprise linux server update services for sap solutions/8.2
- version/redhat enterprise linux server update services for sap solutions/8.4
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/21.10
- vendor/suse
- canonical/suse enterprise storage
- version/suse enterprise storage/7.0
- canonical/suse linux enterprise high performance computing
- version/suse linux enterprise high performance computing/15.0-sp2
- canonical/suse manager proxy
- version/suse manager proxy/4.1
- canonical/suse manager server
- version/suse manager server/4.1
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/15-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/15-sp2
- canonical/suse linux enterprise server sap
- version/suse linux enterprise server sap/15-sp2
- canonical/suse linux enterprise workstation extension
- version/suse linux enterprise workstation extension/12-sp5
- vendor/oracle
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/siemens
- canonical/siemens sinumerik edge
- canonical/siemens scalance lpe9403 firmware
- canonical/siemens scalance lpe9403
- vendor/starwindsoftware
- canonical/starwindsoftware command center
- version/starwindsoftware command center/1.0-update3_build5871
- canonical/starwindsoftware starwind hyperconverged appliance
- canonical/starwindsoftware starwind virtual san
- version/starwindsoftware starwind virtual san/v8-build14338