I was just made aware of the issue below by someone from my IT department. Is this an issue in any of the currently available versions of BitCurator Suite that are distributed for use as a virtual machine?
--------- Forwarded message ---------
From:
Alan A <ames...@umn.edu>Date: Tue, Jan 25, 2022 at 3:56 PM
Subject: [security-people] PATCH NOW: Bug in Linux Polkit (CVE-2021-4034)
To: <
securit...@umn.edu>
TL;DR: There's a bug in Polkit (PolicyKit) that's included on most Linux distros, including default installations of Ubuntu, Debian, Fedora, and CentOS. The bug allows arbitrary users to escalate privileges to root. Pending patches, I *highly* recommend you evaluate whether the workaround (chmod 0755 on the pkexec command, as mentioned in the article) will work in your environment and, if so, apply that immediately. Otherwise, patch sooner than later.
More details.... Qualys found this bug, and they describe their findings in detail at
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034While they do not appear to be ready to release proof-of-concept code, I understand that the bug is trivial enough to trigger that we shouldn't be waiting for that. The bug has also apparently existed for some time (12 years?) and is thought to be present in all versions of Polkit. Non-Linux systems (notably Solaris and the BSD family, which are mentioned in the article) may also be vulnerable, but Qualys did not investigate. (Apparently, "OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0." Yay, OpenBSD!)
So, again, pending patches being released for the distro of your choice, please take steps to mitigate this sooner than later.
--
Digital Records Archivist | Archives & Special Collections