Ubuntu vulnerability
44 views
Skip to first unread message
Lara Friedman-Shedlov
Jan 25, 2022, 5:17:13 PM1/25/22
to bitcurat...@googlegroups.com
Hi all,
TL;DR: There's a bug in Polkit (PolicyKit) that's included on most Linux distros, including default installations of Ubuntu, Debian, Fedora, and CentOS. The bug allows arbitrary users to escalate privileges to root. Pending patches, I *highly* recommend you evaluate whether the workaround (chmod 0755 on the pkexec command, as mentioned in the article) will work in your environment and, if so, apply that immediately. Otherwise, patch sooner than later.
More details.... Qualys found this bug, and they describe their findings in detail at
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
While they do not appear to be ready to release proof-of-concept code, I understand that the bug is trivial enough to trigger that we shouldn't be waiting for that. The bug has also apparently existed for some time (12 years?) and is thought to be present in all versions of Polkit. Non-Linux systems (notably Solaris and the BSD family, which are mentioned in the article) may also be vulnerable, but Qualys did not investigate. (Apparently, "OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0." Yay, OpenBSD!)
So, again, pending patches being released for the distro of your choice, please take steps to mitigate this sooner than later.
--
I was just made aware of the issue below by someone from my IT department. Is this an issue in any of the currently available versions of BitCurator Suite that are distributed for use as a virtual machine?
Thanks,
Lara
--------- Forwarded message ---------
From: Alan A <ames...@umn.edu>
Date: Tue, Jan 25, 2022 at 3:56 PM
Subject: [security-people] PATCH NOW: Bug in Linux Polkit (CVE-2021-4034)
To: <securit...@umn.edu>
From: Alan A <ames...@umn.edu>
Date: Tue, Jan 25, 2022 at 3:56 PM
Subject: [security-people] PATCH NOW: Bug in Linux Polkit (CVE-2021-4034)
To: <securit...@umn.edu>
TL;DR: There's a bug in Polkit (PolicyKit) that's included on most Linux distros, including default installations of Ubuntu, Debian, Fedora, and CentOS. The bug allows arbitrary users to escalate privileges to root. Pending patches, I *highly* recommend you evaluate whether the workaround (chmod 0755 on the pkexec command, as mentioned in the article) will work in your environment and, if so, apply that immediately. Otherwise, patch sooner than later.
More details.... Qualys found this bug, and they describe their findings in detail at
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
While they do not appear to be ready to release proof-of-concept code, I understand that the bug is trivial enough to trigger that we shouldn't be waiting for that. The bug has also apparently existed for some time (12 years?) and is thought to be present in all versions of Polkit. Non-Linux systems (notably Solaris and the BSD family, which are mentioned in the article) may also be vulnerable, but Qualys did not investigate. (Apparently, "OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0." Yay, OpenBSD!)
So, again, pending patches being released for the distro of your choice, please take steps to mitigate this sooner than later.
Lara D. Friedman-Shedlov (she / they) (hear my name)
Digital Records Archivist | Archives & Special Collections
I acknowledge that the University of Minnesota is located on the traditional, ancestral and contemporary lands of Indigenous people.
Kam Woods
Jan 25, 2022, 5:32:55 PM1/25/22
to bitcurat...@googlegroups.com
Already patched - https://ubuntu.com/security/notices/USN-5252-1. Running Software Updater (in the Show Applications menu) should update it.
Kam
--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAKWpb_arXPkBR9sM7uWX-6w0LsPZ2jM3_%3D0Cr-2AqX5s-VArVQ%40mail.gmail.com.
Lara Friedman-Shedlov
Jan 25, 2022, 5:33:36 PM1/25/22
to bitcurat...@googlegroups.com
Thanks!!
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxBJD9iPHpx%2BHXL4%3D_ozmeDDJhdmrq%2BXUaSOQFCdiTF9sA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages