[BlueOnyx:25319] CVE-2021-4034 (PwnKit) *** IMPORTANT ***

[Michael Stauber]

Hi all,

-------------------------------------------------------------
HTML version of this message is available here:
https://www.blueonyx.it/news/301/15/CVE-2021-4034-PwnKit/
-------------------------------------------------------------

A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 
(PwnKit) is present in the default configuration of all major Linux 
distributions and can be exploited to gain full root privileges on the 
system, researchers warned today.

CVE-2021-4034 has been named PwnKit and its origin has been tracked to 
the initial commit of pkexec, more than 12 years ago, meaning that all 
Polkit versions are affected.

Part of the Polkit open-source application framework that negotiates the 
interaction between privileged and unprivileged processes, pkexec allows 
an authorized user to execute commands as another user, doubling as an 
alternative to sudo.

*** Easy to exploit, PoC expected soon ***

Researchers at Qualys information security company found that the pkexec 
program could be used by local attackers to increase privileges to root 
on default installations of Ubuntu, Debian, Fedora, and CentOS.

They warn that PwnKit is likely exploitable on other Linux operating 
systems as well.

More information: 
https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

Mitigation and Security Fixes

Running the command ...

chmod 0755 /usr/bin/pkexec

... as "root" removes the SUID-bit from /usr/bin/pkexec and mitigates 
the issue until upstream (CentOS, AlmaLinux, etc.) release updated 
"polkit" RPMs that permanently fix the issue.

For BlueOnyx and Aventurin{e} we have released a hotfix (wrapped into 
the "swatch" RPM) that does this for you. It removes the SUID-flag from 
/usr/bin/pkexec unless a fixed "polkit" RPM is eventually released. Be 
sure to fully "yum update" your BlueOnyx and Aventurin{e} servers!

Below is a list of available hotfixes and updates listed by platforms:

Aventurin{e} 6109R
===================

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5210R
==============

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5209R
==============

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5207R/5208R (EOL!)
============================

Despite CentOS 6 and SL6 being EOL for quite a while now, there are 
still substantial numbers of BlueOnyx 5207R/5208R servers around. As 
"yum update" on them is broken since the upstream repositories went 
away, a YUM update could not be provided in a sensible fashion.

Therefore we released an updated "polkit" RPM (built from the Red Hat 
Enterprise Linux Server 6 - Extended Life Cycle Support Errata page 
SRPM) as PKG file. You can download and install this in the GUI via 
NewLinQ. The PKG is named "Polkit". The "Polkit" PKG is available to you 
on BlueOnyx 5207R and BlueOnyx 5208R even if you do not have any ongoing 
NewLinQ subscription.

As noted above: Release of this fix as a PKG was *only* needed for 
BlueOnyx 5207R/5208R. Installation of this PKG also unties your BlueOnyx 
5207R/5208R from the CentOS 6 and/or Scientific Linix 67 YUM 
repositories and ties it into vault.centos.org, which will at least 
restore YUM to basic working order for future emergency YUM updates 
against the BlueOnyx YUM repositories.

To ensure safe operation of your BlueOnyx and Aventurin{e} servers 
please make sure to have all updates installed.

-- 
With best regards

Michael Stauber