Bug 2025869 (CVE-2021-4034) - CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector
Summary: CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect h...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2025970 2025971 2025972 2025973 2025974 2025975 2025976 2026267 2026268 2034935 2038187 2038188 2038189 2038190 2045563 2046038
Blocks: 2027507 2025516
TreeView+ depends on / blocked
 
Reported: 2021-11-23 09:16 UTC by msiddiqu
Modified: 2022-05-17 10:01 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-02-17 15:32:36 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6683131 0 None None None 2022-01-31 18:24:30 UTC
Red Hat Product Errata RHBA-2022:0319 0 None None None 2022-01-27 17:08:23 UTC
Red Hat Product Errata RHBA-2022:0326 0 None None None 2022-01-31 15:17:21 UTC
Red Hat Product Errata RHBA-2022:0327 0 None None None 2022-01-31 15:43:59 UTC
Red Hat Product Errata RHSA-2022:0265 0 None None None 2022-01-25 17:58:51 UTC
Red Hat Product Errata RHSA-2022:0266 0 None None None 2022-01-25 18:09:31 UTC
Red Hat Product Errata RHSA-2022:0267 0 None None None 2022-01-25 18:16:18 UTC
Red Hat Product Errata RHSA-2022:0268 0 None None None 2022-01-25 18:01:39 UTC
Red Hat Product Errata RHSA-2022:0269 0 None None None 2022-01-25 18:17:04 UTC
Red Hat Product Errata RHSA-2022:0270 0 None None None 2022-01-25 18:18:33 UTC
Red Hat Product Errata RHSA-2022:0271 0 None None None 2022-01-25 18:38:17 UTC
Red Hat Product Errata RHSA-2022:0272 0 None None None 2022-01-25 18:26:58 UTC
Red Hat Product Errata RHSA-2022:0273 0 None None None 2022-01-25 18:59:48 UTC
Red Hat Product Errata RHSA-2022:0274 0 None None None 2022-01-25 19:59:06 UTC
Red Hat Product Errata RHSA-2022:0443 0 None None None 2022-02-07 10:46:33 UTC
Red Hat Product Errata RHSA-2022:0540 0 None None None 2022-02-15 10:58:58 UTC

Description msiddiqu 2021-11-23 09:16:03 UTC
A Local Privilege Escalation vulnerability (from any user to root) was found in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

Comment 5 lnacshon 2021-11-24 09:15:56 UTC
OSD clusters are affected with low severity, just because some clusters are making use of packages which have dependencies on polkit (e.g. timedatex). Also as affecting by OCP, polkit package was shipped in OCP 4.7 only.

Comment 11 Marco Benatto 2022-01-20 15:58:48 UTC
There's an issue on pkexec where it doesn’t validate the argument count, assuming it will always be at least 1 and that the second value is either NULL or the command to be executed by pkexec as a privileged user. If an attacker successfully forces the argument array to be empty, this means pkexec will interpret content from the environment array as the application to be executed. An attacker can leverage this by manipulating these variables to contain specific values and payloads, allowing it to be executed as a privileged user without any authentication to be requested.

Comment 12 Marco Benatto 2022-01-25 17:23:21 UTC
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 2045563]

Comment 13 Marco Benatto 2022-01-25 17:47:55 UTC
Upstream commit for this issue:
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

Comment 14 errata-xmlrpc 2022-01-25 17:58:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0265 https://access.redhat.com/errata/RHSA-2022:0265

Comment 15 errata-xmlrpc 2022-01-25 18:01:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0268 https://access.redhat.com/errata/RHSA-2022:0268

Comment 16 errata-xmlrpc 2022-01-25 18:09:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0266 https://access.redhat.com/errata/RHSA-2022:0266

Comment 17 errata-xmlrpc 2022-01-25 18:16:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0267 https://access.redhat.com/errata/RHSA-2022:0267

Comment 18 errata-xmlrpc 2022-01-25 18:17:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:0269 https://access.redhat.com/errata/RHSA-2022:0269

Comment 19 errata-xmlrpc 2022-01-25 18:18:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:0270 https://access.redhat.com/errata/RHSA-2022:0270

Comment 20 errata-xmlrpc 2022-01-25 18:26:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:0272 https://access.redhat.com/errata/RHSA-2022:0272

Comment 21 errata-xmlrpc 2022-01-25 18:38:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:0271 https://access.redhat.com/errata/RHSA-2022:0271

Comment 22 errata-xmlrpc 2022-01-25 18:59:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:0273 https://access.redhat.com/errata/RHSA-2022:0273

Comment 23 errata-xmlrpc 2022-01-25 19:59:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0274 https://access.redhat.com/errata/RHSA-2022:0274

Comment 24 Tomas Hoger 2022-01-25 20:25:46 UTC
Qualys advisory:

https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

Comment 25 Sandro Bonazzola 2022-01-26 08:48:12 UTC
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ bug 2046038 ]

Comment 50 errata-xmlrpc 2022-02-07 10:46:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:0443 https://access.redhat.com/errata/RHSA-2022:0443

Comment 56 errata-xmlrpc 2022-02-15 10:58:54 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0540 https://access.redhat.com/errata/RHSA-2022:0540

Comment 57 Product Security DevOps Team 2022-02-15 11:47:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4034

Comment 62 西门吹雪 2022-02-17 06:20:49 UTC
@907949961@qq.com

Comment 65 lnacshon 2022-03-16 10:08:19 UTC
For C#59
The impact on Services is Low, since to use polkit, the user should use a graphical or a CLI to authenticate to get a service with polkit acting as the authentication agent. In OSD, the graphical usage is not relevant; in CLI usage, the user will use the OC command to authenticate to the OSD cluster.
Also, OSD does not make any special use of polkit in production clusters. In OSD, on one of the test OSD cluster's master, timedatex has a dependency on polkit. Therefore, for OSD/ARO, the impact is Low.


Your OSD clusters are in the production group and therefore do not make any special use of polkit.


If you have any additional questions, please let me know.


Note You need to log in before you can comment on or make changes to this bug.