Bug 2025869 (CVE-2021-4034) - CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector
Summary: CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect h...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2025970 2025971 2025972 2025973 2025974 2025975 2025976 2026267 2026268 2034935 2038187 2038188 2038189 2038190 2045563 2046038
Blocks: 2025516 2027507
TreeView+ depends on / blocked
 
Reported: 2021-11-23 09:16 UTC by msiddiqu
Modified: 2023-10-10 09:49 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-02-17 15:32:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6683131 0 None None None 2022-01-31 18:24:30 UTC
Red Hat Product Errata RHBA-2022:0319 0 None None None 2022-01-27 17:08:23 UTC
Red Hat Product Errata RHBA-2022:0326 0 None None None 2022-01-31 15:17:21 UTC
Red Hat Product Errata RHBA-2022:0327 0 None None None 2022-01-31 15:43:59 UTC
Red Hat Product Errata RHSA-2022:0265 0 None None None 2022-01-25 17:58:51 UTC
Red Hat Product Errata RHSA-2022:0266 0 None None None 2022-01-25 18:09:31 UTC
Red Hat Product Errata RHSA-2022:0267 0 None None None 2022-01-25 18:16:18 UTC
Red Hat Product Errata RHSA-2022:0268 0 None None None 2022-01-25 18:01:39 UTC
Red Hat Product Errata RHSA-2022:0269 0 None None None 2022-01-25 18:17:04 UTC
Red Hat Product Errata RHSA-2022:0270 0 None None None 2022-01-25 18:18:33 UTC
Red Hat Product Errata RHSA-2022:0271 0 None None None 2022-01-25 18:38:17 UTC
Red Hat Product Errata RHSA-2022:0272 0 None None None 2022-01-25 18:26:58 UTC
Red Hat Product Errata RHSA-2022:0273 0 None None None 2022-01-25 18:59:48 UTC
Red Hat Product Errata RHSA-2022:0274 0 None None None 2022-01-25 19:59:06 UTC
Red Hat Product Errata RHSA-2022:0443 0 None None None 2022-02-07 10:46:33 UTC
Red Hat Product Errata RHSA-2022:0540 0 None None None 2022-02-15 10:58:58 UTC

Description msiddiqu 2021-11-23 09:16:03 UTC 
A Local Privilege Escalation vulnerability (from any user to root) was found in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
Comment 5 lnacshon 2021-11-24 09:15:56 UTC 
OSD clusters are affected with low severity, just because some clusters are making use of packages which have dependencies on polkit (e.g. timedatex). Also as affecting by OCP, polkit package was shipped in OCP 4.7 only.
Comment 11 Marco Benatto 2022-01-20 15:58:48 UTC 
There's an issue on pkexec where it doesn’t validate the argument count, assuming it will always be at least 1 and that the second value is either NULL or the command to be executed by pkexec as a privileged user. If an attacker successfully forces the argument array to be empty, this means pkexec will interpret content from the environment array as the application to be executed. An attacker can leverage this by manipulating these variables to contain specific values and payloads, allowing it to be executed as a privileged user without any authentication to be requested.
Comment 12 Marco Benatto 2022-01-25 17:23:21 UTC 
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 2045563]
Comment 13 Marco Benatto 2022-01-25 17:47:55 UTC 
Upstream commit for this issue:
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Comment 14 errata-xmlrpc 2022-01-25 17:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0265 https://access.redhat.com/errata/RHSA-2022:0265
Comment 15 errata-xmlrpc 2022-01-25 18:01:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0268 https://access.redhat.com/errata/RHSA-2022:0268
Comment 16 errata-xmlrpc 2022-01-25 18:09:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0266 https://access.redhat.com/errata/RHSA-2022:0266
Comment 17 errata-xmlrpc 2022-01-25 18:16:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0267 https://access.redhat.com/errata/RHSA-2022:0267
Comment 18 errata-xmlrpc 2022-01-25 18:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:0269 https://access.redhat.com/errata/RHSA-2022:0269
Comment 19 errata-xmlrpc 2022-01-25 18:18:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:0270 https://access.redhat.com/errata/RHSA-2022:0270
Comment 20 errata-xmlrpc 2022-01-25 18:26:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:0272 https://access.redhat.com/errata/RHSA-2022:0272
Comment 21 errata-xmlrpc 2022-01-25 18:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:0271 https://access.redhat.com/errata/RHSA-2022:0271
Comment 22 errata-xmlrpc 2022-01-25 18:59:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:0273 https://access.redhat.com/errata/RHSA-2022:0273
Comment 23 errata-xmlrpc 2022-01-25 19:59:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0274 https://access.redhat.com/errata/RHSA-2022:0274
Comment 24 Tomas Hoger 2022-01-25 20:25:46 UTC 
Qualys advisory:

https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Comment 25 Sandro Bonazzola 2022-01-26 08:48:12 UTC 
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ bug 2046038 ]
Comment 50 errata-xmlrpc 2022-02-07 10:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:0443 https://access.redhat.com/errata/RHSA-2022:0443
Comment 56 errata-xmlrpc 2022-02-15 10:58:54 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0540 https://access.redhat.com/errata/RHSA-2022:0540
Comment 57 Product Security DevOps Team 2022-02-15 11:47:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4034
Comment 62 西门吹雪 2022-02-17 06:20:49 UTC 
@907949961
Comment 65 lnacshon 2022-03-16 10:08:19 UTC 
For C#59
The impact on Services is Low, since to use polkit, the user should use a graphical or a CLI to authenticate to get a service with polkit acting as the authentication agent. In OSD, the graphical usage is not relevant; in CLI usage, the user will use the OC command to authenticate to the OSD cluster.
Also, OSD does not make any special use of polkit in production clusters. In OSD, on one of the test OSD cluster's master, timedatex has a dependency on polkit. Therefore, for OSD/ARO, the impact is Low.


Your OSD clusters are in the production group and therefore do not make any special use of polkit.


If you have any additional questions, please let me know.
Note You need to log in before you can comment on or make changes to this bug.