CVE-2021-4034
Public on
Last Modified:
Description
The CVE Program describes this issue as:
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Security Bulletin
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
Mitigation
For customers who cannot update immediately and doesn't have Secure Boot feature enabled, the issue can be mitigated by executing the following steps:
1) Install required systemtap packages and dependencies as per - pointed by https://access.redhat.com/solutions/5441
2) Install polkit debug info:
debuginfo-install polkit
3) Create the following systemtap script, and name it pkexec-block.stp:
probe process("/usr/bin/pkexec").function("main") {
if (cmdline_arg(1) == "")
raise(9);
}
4) Load the systemtap module into the running kernel:
stap -g -F -m stap_pkexec_block pkexec_block.stp
5) Ensure the module is loaded:
lsmod | grep -i stap_pkexec_block
stap_pkexec_block 434176 0
6) Once polkit package was updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
rmmod stap_pkexec_block
This mitigation doesn't work for Secure Boot enabled system as SystemTap would require an external compiling server to be able to sign the generated kernel module
with a key enrolled into the Kernel's keyring.
Additional information
- Bugzilla 2025869: polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector
- (CWE-125|CWE-787)->CWE-20: Out-of-bounds Read or Out-of-bounds Write leads to Improper Input Validation
- FAQ: Frequently asked questions about CVE-2021-4034
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
Red Hat | NVD | |
---|---|---|
CVSS v3 Base Score | 7.8 | 7.8 |
Attack Vector | Local | Local |
Attack Complexity | Low | Low |
Privileges Required | Low | Low |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | High | High |
Integrity Impact | High | High |
Availability Impact | High | High |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Acknowledgements
Red Hat would like to thank Qualys Research Labs for reporting this issue.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.