Bug 2025869 (CVE-2021-4034)
| Summary: | CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | 907949961, adsoni, ajose, amarirom, andbartl, aprajapa, asheth, bdettelb, chale, cperry, dahernan, dtarabor, emarcus, fche, gferrazs, grodrigu, jburrell, jentrena, jrybar, knewcome, lnacshon, mbagga, mbenatto, michal.skrivanek, mitr, mperina, nobody, oarribas, pdwyer, polkit-devel, proguski, rdey, redhat, rpalathi, rsandu, sbonazzo, security-response-team, shsaxena, swachira, tgunders, vkumar, vsroka, vwalek |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-02-17 15:32:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2025970, 2025971, 2025972, 2025973, 2025974, 2025975, 2025976, 2026267, 2026268, 2034935, 2038187, 2038188, 2038189, 2038190, 2045563, 2046038 | ||
| Bug Blocks: | 2025516, 2027507 | ||
|
Description
msiddiqu
2021-11-23 09:16:03 UTC
OSD clusters are affected with low severity, just because some clusters are making use of packages which have dependencies on polkit (e.g. timedatex). Also as affecting by OCP, polkit package was shipped in OCP 4.7 only. There's an issue on pkexec where it doesn’t validate the argument count, assuming it will always be at least 1 and that the second value is either NULL or the command to be executed by pkexec as a privileged user. If an attacker successfully forces the argument array to be empty, this means pkexec will interpret content from the environment array as the application to be executed. An attacker can leverage this by manipulating these variables to contain specific values and payloads, allowing it to be executed as a privileged user without any authentication to be requested. Created polkit tracking bugs for this issue: Affects: fedora-all [bug 2045563] Upstream commit for this issue: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0265 https://access.redhat.com/errata/RHSA-2022:0265 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0268 https://access.redhat.com/errata/RHSA-2022:0268 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0266 https://access.redhat.com/errata/RHSA-2022:0266 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0267 https://access.redhat.com/errata/RHSA-2022:0267 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:0269 https://access.redhat.com/errata/RHSA-2022:0269 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2022:0270 https://access.redhat.com/errata/RHSA-2022:0270 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Via RHSA-2022:0272 https://access.redhat.com/errata/RHSA-2022:0272 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2022:0271 https://access.redhat.com/errata/RHSA-2022:0271 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2022:0273 https://access.redhat.com/errata/RHSA-2022:0273 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0274 https://access.redhat.com/errata/RHSA-2022:0274 Qualys advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Created oVirt tracking bug for this issue: Affects: oVirt Node 4.4 [ bug 2046038 ] This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2022:0443 https://access.redhat.com/errata/RHSA-2022:0443 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:0540 https://access.redhat.com/errata/RHSA-2022:0540 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4034 @907949961 For C#59 The impact on Services is Low, since to use polkit, the user should use a graphical or a CLI to authenticate to get a service with polkit acting as the authentication agent. In OSD, the graphical usage is not relevant; in CLI usage, the user will use the OC command to authenticate to the OSD cluster. Also, OSD does not make any special use of polkit in production clusters. In OSD, on one of the test OSD cluster's master, timedatex has a dependency on polkit. Therefore, for OSD/ARO, the impact is Low. Your OSD clusters are in the production group and therefore do not make any special use of polkit. If you have any additional questions, please let me know. |