CVE-2021-4034 : pwnkit: Local Privilege Escalation in polkit's pkexec

manager23

Member
Aug 13, 2013
13
1
53
cPanel Access Level
Root Administrator
See: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

I notice that it's getting quite a lot of attention on various websites given the potential for abuse via local privilege escalation
Does this affect cPanel / WHM and if so which of the distros (CentOS 6, CentOS 7 etc) are affected and which ones will be patched (CentOS 6 got updated packages for log4j, hoping for the same here if vulnerable)?

--Ruud
 
  • Like
Reactions: internetfab

Duke C

Registered
May 2, 2019
4
4
3
Brisbane
cPanel Access Level
DataCenter Provider
In case it helps anyone, you can check if the patched version of polkit is installed on your systems like so:

Bash:
rpm -q --changelog polkit | grep -B2 CVE-2021-4034

If your polkit has been updated to the patched version, the output should be something like this:

Code:
* Fri Dec 17 2021 Jan Rybar <[email protected]> - 0.112-26.1
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034
 
  • Like
Reactions: customtacos

martin MHC

Well-Known Member
Sep 14, 2016
249
57
78
UK
cPanel Access Level
Root Administrator
Hello
I hace checked my local polkit version and it says the flaw is fixed; as per @Duke C 's reply. However, my server security states that various polkit files (pkexec etc.) have been updated last night. Including inode changes.

Is the date "Dec 17 2021" I assume the build date of the version rather than the install date?

Would it seems logical that the update was carried out last night which causes the file-change flagging and prior to 26-01-22 the polkit vulnerability existed on this server?
 

manager23

Member
Aug 13, 2013
13
1
53
cPanel Access Level
Root Administrator
I see updates for this issue on CentOS 7, where /var/log/yum.log shows they were installed about 10 hours ago:
Code:
/var/log/yum.log:Jan 27 04:48:24 Updated: polkit-0.112-26.el7_9.1.x86_64
So my remaining question is if we will also get an update for CentOS 6 (I know it's EOL) and if not, does anyone have tips on how to mitigate the risk there?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,796
1,530
313
cPanel Access Level
Root Administrator
This software is distributed straight from the operating system provider and is not touched by cPanel, so there wouldn't be updates on our end for this.

I would not expect there to be any releases for CentOS 6. You should long be migrated off any CentOS 6 machines for security reasons at this point, or at least using the CloudLinux extended support.