Ubuntu vulnerability

33 views
Skip to first unread message

Lara Friedman-Shedlov

unread,
Jan 25, 2022, 5:17:13 PMJan 25
to bitcurat...@googlegroups.com
Hi all,

I was just made aware of the issue below by someone from my IT department.  Is this an issue in any of the currently available versions of BitCurator Suite that are distributed for use as a virtual machine?

Thanks,
Lara 


--------- Forwarded message ---------
From: Alan A <ames...@umn.edu>
Date: Tue, Jan 25, 2022 at 3:56 PM
Subject: [security-people] PATCH NOW: Bug in Linux Polkit (CVE-2021-4034)
To: <securit...@umn.edu>


TL;DR:  There's a bug in Polkit (PolicyKit) that's included on most Linux distros, including default installations of Ubuntu, Debian, Fedora, and CentOS.  The bug allows arbitrary users to escalate privileges to root.  Pending patches, I *highly* recommend you evaluate whether the workaround (chmod 0755 on the pkexec command, as mentioned in the article) will work in your environment and, if so, apply that immediately.  Otherwise, patch sooner than later.

More details....  Qualys found this bug, and they describe their findings in detail at

        https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034


While they do not appear to be ready to release proof-of-concept code, I understand that the bug is trivial enough to trigger that we shouldn't be waiting for that.  The bug has also apparently existed for some time (12 years?) and is thought to be present in all versions of Polkit.  Non-Linux systems (notably Solaris and the BSD family, which are mentioned in the article) may also be vulnerable, but Qualys did not investigate.  (Apparently, "OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0."  Yay, OpenBSD!)

So, again, pending patches being released for the distro of your choice, please take steps to mitigate this sooner than later.

--
Lara D. Friedman-Shedlov    (she / they)  (hear my name)
Digital Records Archivist | Archives & Special Collections 
University of Minnesota Libraries | lib.umn.edu | 612.626.7972


Kam Woods

unread,
Jan 25, 2022, 5:32:55 PMJan 25
to bitcurat...@googlegroups.com
Already patched - https://ubuntu.com/security/notices/USN-5252-1. Running Software Updater (in the Show Applications menu) should update it.

Kam

--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAKWpb_arXPkBR9sM7uWX-6w0LsPZ2jM3_%3D0Cr-2AqX5s-VArVQ%40mail.gmail.com.

Lara Friedman-Shedlov

unread,
Jan 25, 2022, 5:33:36 PMJan 25
to bitcurat...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages