CVE-2021-4034 : pwnkit: Local Privilege Escalation in polkit's pkexec

[manager23]

See: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

I notice that it's getting quite a lot of attention on various websites given the potential for abuse via local privilege escalation
Does this affect cPanel / WHM and if so which of the distros (CentOS 6, CentOS 7 etc) are affected and which ones will be patched (CentOS 6 got updated packages for log4j, hoping for the same here if vulnerable)?

--Ruud

 

[Duke C]

In case it helps anyone, you can check if the patched version of polkit is installed on your systems like so:

rpm -q --changelog polkit | grep -B2 CVE-2021-4034

If your polkit has been updated to the patched version, the output should be something like this:

* Fri Dec 17 2021 Jan Rybar <[email protected]> - 0.112-26.1
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034

 

[martin MHC]

Hello
I hace checked my local polkit version and it says the flaw is fixed; as per @Duke C 's reply. However, my server security states that various polkit files (pkexec etc.) have been updated last night. Including inode changes.

Is the date "Dec 17 2021" I assume the build date of the version rather than the install date?

Would it seems logical that the update was carried out last night which causes the file-change flagging and prior to 26-01-22 the polkit vulnerability existed on this server?

 

[manager23]

I see updates for this issue on CentOS 7, where /var/log/yum.log shows they were installed about 10 hours ago:

/var/log/yum.log:Jan 27 04:48:24 Updated: polkit-0.112-26.el7_9.1.x86_64

So my remaining question is if we will also get an update for CentOS 6 (I know it's EOL) and if not, does anyone have tips on how to mitigate the risk there?

 

[Babene7]

So my remaining question is if we will also get an update for CentOS 6 (I know it's EOL) and if not, does anyone have tips on how to mitigate the risk there?

According to Qualy's Blog you can mitigate it by removing the SUID-bit from pkexec:

chmod 0755 /usr/bin/pkexec

A user in WHT did it and hasn't run into any issues.

 

[cPRex]

This software is distributed straight from the operating system provider and is not touched by cPanel, so there wouldn't be updates on our end for this.

I would not expect there to be any releases for CentOS 6. You should long be migrated off any CentOS 6 machines for security reasons at this point, or at least using the CloudLinux extended support.

 

[allpar]

FWIW, I can say that (a) I also did the chmod trick and (b) i was indeed updated on my system in the overnight.