What is Polkit Privilege Escalation - (CVE-2021–4034)?

  • "A memory corruption vulnerability in Polkit's pkexec, witch allows any unprivileged user to gain full root privilege on a vulnerable system using default polkit configuration"

cit. Bharat Jogi, qualys.com

{{< vimeo 669715589 >}}

Links

  • [In deth analysis from Bharat Jogi, qualys.com](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
  • [Red Hat CVE-2021-4034](https://access.redhat.com/security/cve/CVE-2021-4034)
  • [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook)

## Playbook

How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.

code

Code downloaded from [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook) .

execution

``bash

ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml

PLAY [Block pkexec with empty first argument with systemtap] **

TASK [Gathering Facts]

ok: [demo.example.com]

TASK [Install systemtap packages] *

changed: [demo.example.com]

TASK [(RHEL 7) Install kernel debuginfo] **

skipping: [demo.example.com]

TASK [(RHEL 6/8) Install polkit debuginfo]

changed: [demo.example.com]

TASK [(RHEL 6) Install libselinux-python] *

skipping: [demo.example.com]

TASK [Create systemtap script] **

changed: [demo.example.com]

TASK [Checking if stap_pkexec_block module is already loaded] *

ok: [demo.example.com]

TASK [Install systemtap script] *

changed: [demo.example.com]

PLAY RECAP **

demo.example.com : ok=6 changed=4 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0

ansible-pilot $

`

before execution

``bash

ansible-pilot $ ssh [email protected]

Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102

[devops@demo ~]$ sudo su

[root@demo devops]# cat /etc/os-release

NAME="Red Hat Enterprise Linux"

VERSION="8.5 (Ootpa)"

ID="rhel"

ID_LIKE="fedora"

VERSION_ID="8.5"

PLATFORM_ID="platform:el8"

PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"

ANSI_COLOR="0;31"

CPE_NAME="cpe:/o:redh