Serious Linux security issue: pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
Daniel Nashed – 26 January 2022 23:19:55
This is pretty bad, but can be only exploited when the user already has local access.
Now looking into why the package is installed at all by default on many systems, which don't even run a graphical interface is not understandable.
And how can a bug like this happen at all?
Here is the source of the information --> https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
And here are some technical details:
The package is used to allow certain applications to gain root access -- similar to what sudo does.
The binary has the setuid set, which makes it execute as root.
The application itself has to control who should gain root access (setuid permission can be only set for binaries -- not for shell scripts).
In this case the binary has a really stupid bug, that allow a local attacker to get root access on the machine.
The package that was installed on my machine is the following:
polkit-0.115-12.el8.x86_64 : An authorization framework
Repo : baseos
Filename : /usr/bin/pkexec
And here is the binary affected:
ll /usr/bin/pkexec
-rwsr-xr-x 1 root root 31032 May 26 2021 /usr/bin/pkexec*
It might be installed in many Linux machines of different distributions.
My CentOS Stream 9 had it not installed.
After quickly looking into it, I removed it from all my systems via
yum remove polkit -y
Here are details about the fix I found: https://gitlab.freedesktop.org/polkit/polkit
But clearly the fix for me is to remove the package.
RHEL 8 provided a new version dated December. But CentOS still does not have it.
Update:
Of course you have to check for yourself if you have software like "cockpit" using this software to have system tasks executed.
But for me this is the easiest way to get rid of software like cockpit -- a web based admin tool.
I wasn't even aware it is installed by default.
Usually software that is really needed will complain if you try to remove a package they have strong dependencies.
If you need to keep the binary and no fix is available yet, you can change the permissions as suggested in the security advisory instead.
This incident clearly lets me look into my machines again and question packages installed by default on the distributions I am using.
I blogged about VMware PhotonOS a while ago. They do a great job looking into dependencies they really need and stripping down their images.
Specially on the Docker side.
The Domino Docker image and other Domino base images don't have the software installed by the way.
It is already a more stripped down image, without admin tools like the networkmanager and others.
You really have to balance between convenience and security.
I would see that on a server those kind of admin tools are not needed and software that manages access to restricted resources that usually need "root" permissions.
There might be other software that needs it. So you have to carefully check what to remove.
Thanks Toni for your feedback. My statement from last night was about what I did and that was a decision I took based on the installed software packages that needed it on my machines.
It was a bonus to get those other tools removed in my case :-)
-- Daniel
- Comments [4]
1Toni Feric 26.01.2022 9:47:18 Serious Linux security issue: pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
It should be noted, that this packet has dependencies.
On an experimental test system, removing the packet also removed dependencies.
This is for a CentOS 7 system:
Removing:
polkit
Removing for dependencies:
NetworkManager
NetworkManager-team
NetworkManager-tui
cockpit
cockpit-bridge
cockpit-system
polkit-pkla-compat
realmd
tuned
One would have to assess, if they require any of these.
Thanks, Toni
2Daniel Nashed 26.01.2022 11:44:37 Serious Linux security issue: pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
@Toni,
good note! and it would be very good if all who use it check if they really need the dependency.
On the other side yum should warn you if you installed a package explicitly that if you remove it, other packages you installed don't work any more.
It should not remove any packages for other software you actively installed.
Not having cockpit installed, is something that I see as another good security advice.
I don't even know why on eath my server has this installed by default.
But yes you are right, admins have to check what dependencies have and just uninstall if not needed.
I got rid of it, along with other software I don't need as a Linux admin ;-)
My point of view in my blog is mainly a Domino server and to keep it operational.
And all those components are not required for Domino to run.
-- Daniel
3Kevin Johnston 26.01.2022 13:21:28 Serious Linux security issue: pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
While this is client and not server, my Linux Mint 20.3 box had an update for this (passed-through Ubuntu update) today.
Will be checking my servers to see if it is in place and, if so, is there a patch or di I need to uninstall
4Toni Feric 27.01.2022 23:01:13 Serious Linux security issue: pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)
As of yesterday, "yum update polkit" fixes the vuln.
An errata has been published accordingly, so that polkit will pop up in Satellite (etc.) as a security issue.
Cheers, Toni