Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-CVE-2021-4034

From EGIWiki
Revision as of 11:41, 10 February 2022 by Cornwall (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2021-4034



Title:       EGI SVG 'ADVISORY' [TLP:WHITE] **UPDATE ** CRITICAL risk - 
             Local privilege escalation vulnerability on polkit's pkexec utility.  [EGI-SVG-CVE-2021-4034] 

Date:        2022-01-26
Updated:     2022-01-26


Affected software and risk
==========================

CRITICAL risk vulnerability concerning polkit

Package : Polkit
CVE ID  : CVE-2021-4034
Bug ID  : Bugzilla 2025869


A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid 
tool designed to allow unprivileged users to run commands as privileged users according predefined policies. 
The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to 
execute environment variables as commands. An attacker can leverage this by crafting environment variables 
in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can 
cause a local privilege escalation given unprivileged users administrative rights on the target machine.  [R 1], [R 2], [R 3]

**UPDATE 2022-01-26 ** 

To clarify RedHat 6, RedHat 7 are affected as well as RedHat 8. [R 1]

Updates are now available for Scientific Linux and CentOS

Sites are recommended to check for updates for any other Linux distributions they are using.
 

Actions required/recommended
============================

Sites are required to urgently install a new version, or carry out mitigation.

All running resources MUST be either patched or have mitigation
in place or software removed by 2022-02-03  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 


Component installation information
==================================

Sites running RHEL should see [R 1], [R 2]

Sites running CentOS should also see [R 1], [R 2] 

**UPDATE 2022-01-26 Updates for CentOS7 have been made, but are not in all mirrors yet at time of writing**

Sites running Debian should see [R 4]

Sites running Ubuntu should see [R 5]

Sites running Almalinux should see [R 6], [R 7]

Sites running RockyLinux should see [R 8] 

Sites running Scientific Linux should see [R 9]

**UPDATE 2022-01-26 Updates Scientific Linux are now available**

Mitigation
==========

Detailed mitigation steps are provided by RedHat - [R 1]

Another temporary mitigation is to remove the setuid bit from /usr/bin/pkexec -

chmod u-s /usr/bin/pkexec
 

Affected software details
=========================

See [R 1]


More information
================

A public exploit has been released. It is fairly trivial to exploit this vulnerability. 

**UPDATE 2022-01-26 Including to  clarify that RedHat 7 is affected, as well as RedHat 8- in the previous 
version it mentioned RedHat 8 in the Component installation information, which was an error. Apologies. **


TLP and URL
===========

** WHITE information - Unlimited distribution 
- see https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol for distribution restrictions **  


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 99]. 

Note that this is undergoing revision.


References
==========

[R 1] https://access.redhat.com/security/cve/CVE-2021-4034

[R 2] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

[R 3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

[R 4] https://security-tracker.debian.org/tracker/CVE-2021-4034

[R 5] https://ubuntu.com/security/CVE-2021-4034

[R 6] https://errata.almalinux.org/

[R 7] https://errata.almalinux.org/8/ALSA-2022-0267.html

[R 8] https://errata.rockylinux.org/

[R 9] https://www.scientificlinux.org/category/sl-errata/


[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Vincent Brillault

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2022-CVE-2021-4034] 

2022-01-26 SVG alerted to this issue by Vincent Brillault
2022-01-26 Acknowledgement from the EGI SVG to the reporter
2022-01-26 EGI SVG Risk Assessment completed  
2022-01-26 Advisory sent to sites
2022-01-26 Advisory updated - to clarify RedHat 6, 7 and 8 are all affected, and  more linux releases to fix this.


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 99]  in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group


Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure. 

On behalf of the EGI SVG,