[BlueOnyx:25320] Re: CVE-2021-4034 (PwnKit) *** IMPORTANT ***

[Adam Lepp]

I have a 5209R but got this error message:

[XXXXX]# yum update
Loaded plugins: blueonyx, fastestmirror
Loading mirror speeds from cached hostfile


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the
problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a
working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default.
Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is
unavailable.
        Note that yum will try to contact the repo. when it runs most
commands,
        so will have to try and fail each time (and thus. yum will be be
much
        slower). If it is a very temporary problem though, this is often a
nice
        compromise:

            yum-config-manager --save
--setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: BlueOnyx-5209R/7/x86_64

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: Tuesday, January 25, 2022 11:57 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:25319] CVE-2021-4034 (PwnKit) *** IMPORTANT ***

Hi all,

-------------------------------------------------------------
HTML version of this message is available here:
https://www.blueonyx.it/news/301/15/CVE-2021-4034-PwnKit/
-------------------------------------------------------------

A vulnerability in Polkit's pkexec component identified as CVE-2021-4034
(PwnKit) is present in the default configuration of all major Linux
distributions and can be exploited to gain full root privileges on the
system, researchers warned today.

CVE-2021-4034 has been named PwnKit and its origin has been tracked to the
initial commit of pkexec, more than 12 years ago, meaning that all Polkit
versions are affected.

Part of the Polkit open-source application framework that negotiates the
interaction between privileged and unprivileged processes, pkexec allows an
authorized user to execute commands as another user, doubling as an
alternative to sudo.

*** Easy to exploit, PoC expected soon ***

Researchers at Qualys information security company found that the pkexec
program could be used by local attackers to increase privileges to root on
default installations of Ubuntu, Debian, Fedora, and CentOS.

They warn that PwnKit is likely exploitable on other Linux operating systems
as well.

More information: 
https://www.bleepingcomputer.com/news/security/linux-system-service-bug-give
s-root-on-all-major-distros-exploit-released/

Mitigation and Security Fixes

Running the command ...

chmod 0755 /usr/bin/pkexec

... as "root" removes the SUID-bit from /usr/bin/pkexec and mitigates the
issue until upstream (CentOS, AlmaLinux, etc.) release updated "polkit" RPMs
that permanently fix the issue.

For BlueOnyx and Aventurin{e} we have released a hotfix (wrapped into the
"swatch" RPM) that does this for you. It removes the SUID-flag from
/usr/bin/pkexec unless a fixed "polkit" RPM is eventually released. Be sure
to fully "yum update" your BlueOnyx and Aventurin{e} servers!

Below is a list of available hotfixes and updates listed by platforms:

Aventurin{e} 6109R
===================

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5210R
==============

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5209R
==============

Mitigation provided via "swatch" RPM. Available via "yum update"

BlueOnyx 5207R/5208R (EOL!)
============================

Despite CentOS 6 and SL6 being EOL for quite a while now, there are still
substantial numbers of BlueOnyx 5207R/5208R servers around. As "yum update"
on them is broken since the upstream repositories went away, a YUM update
could not be provided in a sensible fashion.

Therefore we released an updated "polkit" RPM (built from the Red Hat
Enterprise Linux Server 6 - Extended Life Cycle Support Errata page
SRPM) as PKG file. You can download and install this in the GUI via NewLinQ.
The PKG is named "Polkit". The "Polkit" PKG is available to you on BlueOnyx
5207R and BlueOnyx 5208R even if you do not have any ongoing NewLinQ
subscription.

As noted above: Release of this fix as a PKG was *only* needed for BlueOnyx
5207R/5208R. Installation of this PKG also unties your BlueOnyx 5207R/5208R
from the CentOS 6 and/or Scientific Linix 67 YUM repositories and ties it
into vault.centos.org, which will at least restore YUM to basic working
order for future emergency YUM updates against the BlueOnyx YUM
repositories.

To ensure safe operation of your BlueOnyx and Aventurin{e} servers please
make sure to have all updates installed.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx