# CVE-2021-4034 Mitigation Playbook v.1.1 # Copyright (c) 2022 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # Warning! Be sure to download the latest version of this script from its primary source: # https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 # This playbook will install systemtap utilities and create a systemtap script to prevent # pkexec from being executed with an empty first argument. The script will need to be # installed each time the system is booted to be effective. You can use this playbook to # install the script after booting. # To use this playbook, set the HOSTS extra var with the name of the hosts or group # you wish to modify: # ansible-playbook -e HOSTS=web,mail,ns1 CVE-2021-4034_stap_mitigate.yml # # To verify that the script is installed, issue the command `lsmod` and look for # `stap_pkexec_block` in the list of loaded modules. # # To remove the script after a fixed package has been installed, find the process ID of # systemtap with pgrep or ps, for example: # # [root@host ~]# ps $(pgrep stap) # 23344 # # Then, kill the systemtap process with the SIGTERM signal: # # [root@host ~]# kill -s SIGTERM 23344 # # Alternatively, you can reboot the system. When no longer needed, # /root/pkexec-block.stp and /root/pkexec-block.log can be removed. - name: "[TEMPORARY MITIGATION] Block pkexec with empty first argument with systemtap" hosts: "{{HOSTS}}" become: true tasks: - name: Install systemtap packages yum: name: - systemtap - yum-utils - kernel-devel-{{ ansible_kernel }} - when: ansible_distribution_major_version == '7' name: (RHEL 7) Install kernel debuginfo command: debuginfo-install -y kernel-{{ ansible_kernel }} - when: (ansible_distribution_major_version == '6' or ansible_distribution_major_version == '8') name: (RHEL 6/8) Install polkit debuginfo command: debuginfo-install -y polkit # RHEL6 with SELinux enabled needs libselinux-python for Ansible copy operation to work. - when: ansible_distribution_major_version == '6' name: (RHEL 6) Install libselinux-python yum: name: - libselinux-python - name: Create systemtap script copy: dest: /root/pkexec-block.stp owner: root group: root mode: '0600' force: false content: | probe process("/usr/bin/pkexec").function("main") { if (cmdline_arg(1) == "") raise(9); } - name: Checking if stap_pkexec_block module is already loaded command: grep -Fq stap_pkexec_block /proc/modules register: loaded_module changed_when: false failed_when: loaded_module.rc == 2 check_mode: false - when: loaded_module.rc == 1 name: Install systemtap script command: stap -F -o /root/pkexec-block.log -S 1 -m stap_pkexec_block -g /root/pkexec-block.stp register: stap_run failed_when: false - when: stap_run.rc |default(0) != 0 fail: msg: "The systemtap script could not be installed. If this system has Secure Boot enabled, a signed kernel module must be generated to use this mitigation. See the Security Bulletin for more information."