Title: EGI SVG 'ADVISORY' [TLP:WHITE] **UPDATE ** CRITICAL risk - Local
privilege escalation vulnerability on polkit's pkexec utility.
[EGI-SVG-CVE-2021-4034]
Date: 2022-01-26
Updated: 2022-01-26
Affected software and risk
==========================
CRITICAL risk vulnerability concerning polkit
Package : Polkit
CVE ID : CVE-2021-4034
Bug ID : Bugzilla 2025869
A local privilege escalation vulnerability was found on polkit's pkexec
utility. The pkexec application is a setuid tool designed to allow unprivileged
users to run commands as privileged users according predefined policies.
The current version of pkexec doesn't handle the calling parameters count
correctly and ends trying to execute environment variables as commands. An
attacker can leverage this by crafting environment variables in such a way
it'll induce pkexec to execute arbitrary code. When successfully executed the
attack can cause a local privilege escalation given unprivileged users
administrative rights on the target machine. [R 1], [R 2], [R 3]
**UPDATE 2022-01-26 **
To clarify RedHat 6, RedHat 7 are affected as well as RedHat 8. [R 1]
Updates are now available for Scientific Linux and CentOS
Sites are recommended to check for updates for any other Linux distributions
they are using.
Actions required/recommended
============================
Sites are required to urgently install a new version, or carry out mitigation.
All running resources MUST be either patched or have mitigation
in place or software removed by 2022-02-03 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
Component installation information
==================================
Sites running RHEL should see [R 1], [R 2]
Sites running CentOS should also see [R 1], [R 2]
**UPDATE 2022-01-26 Updates for CentOS7 have been made, but are not in all
mirrors yet at time of writing**
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running Almalinux should see [R 6], [R 7]
Sites running RockyLinux should see [R 8]
Sites running Scientific Linux should see [R 9]
**UPDATE 2022-01-26 Updates Scientific Linux are now available**
Mitigation
==========
Detailed mitigation steps are provided by RedHat - [R 1]
Another temporary mitigation is to remove the setuid bit from /usr/bin/pkexec -
chmod u-s /usr/bin/pkexec
Affected software details
=========================
See [R 1]
More information
================
A public exploit has been released. It is fairly trivial to exploit this
vulnerability.
** UPDATE 2022-01-26 Including to clarify that RedHat 7 is affected, as well
as RedHat 8- in the previous version it mentioned RedHat 8 in the Component
installation information, which was an error. Apologies. **
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99].
Note that this is undergoing revision.
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2021-4034
[R 2] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
[R 3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[R 4] https://security-tracker.debian.org/tracker/CVE-2021-4034
[R 5] https://ubuntu.com/security/CVE-2021-4034
[R 6] https://errata.almalinux.org/
[R 7] https://errata.almalinux.org/8/ALSA-2022-0267.html
[R 8] https://errata.rockylinux.org/
[R 9] https://www.scientificlinux.org/category/sl-errata/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145
Credit
======
SVG was alerted to this vulnerability by Vincent Brillault
Timeline
========
Yyyy-mm-dd [EGI-SVG-2022-CVE-2021-4034]
2022-01-26 SVG alerted to this issue by Vincent Brillault
2022-01-26 Acknowledgement from the EGI SVG to the reporter
2022-01-26 EGI SVG Risk Assessment completed
2022-01-26 Advisory sent to sites
2022-01-26 Advisory updated - to clarify RedHat 6, 7 and 8 are all affected,
and more linux releases to fix this.
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure.
On behalf of the EGI SVG,