Vulnerability CVE-2021-4034

Vulnerability Name:

CVE-2021-4034 (CCN-218087)

Assigned:

2021-11-29

Published:

2022-01-25

Updated:

2023-02-13

Summary:

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.2 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-125)

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2021-4034

Source: secalert@redhat.com
Type: Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory, VDB Entry
secalert@redhat.com

Source: secalert@redhat.com
Type: Mitigation, Vendor Advisory
secalert@redhat.com

Source: CCN
Type: Red Hat Bugzilla - Bug 2025869
(CVE-2021-4034) - CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector

Source: secalert@redhat.com
Type: Issue Tracking, Patch, Vendor Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: XF
Type: UNKNOWN
polkit-cve20214034-priv-esc(218087)

Source: CCN
Type: polkit GitLab
polkit

Source: CCN
Type: polkit GIT Repository
pkexec: local privilege escalation (CVE-2021-4034)

Source: secalert@redhat.com
Type: Patch, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: Packet Storm Security [01-26-2022]
Polkit pkexec CVE-2021-4034 Local Root

Source: CCN
Type: Packet Storm Security [01-26-2022]
Polkit pkexec CVE-2021-4034 Proof Of Concept

Source: CCN
Type: Packet Storm Security [01-26-2022]
Polkit pkexec CVE-2021-4034 Local Root

Source: CCN
Type: Packet Storm Security [01-27-2022]
PolicyKit-1 0.105-31 Privilege Escalation

Source: CCN
Type: Packet Storm Security [03-03-2022]
Polkit pkexec Local Privilege Escalation

Source: CCN
Type: Packet Storm Security [03-04-2022]
Polkit pkexec Privilege Escalation

Source: CCN
Type: oss-sec Mailing List, Tue, 25 Jan 2022 17:57:48 +0000
pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

Source: CCN
Type: ICSA-22-270-02
Hitachi Energy APM Edge

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [01-27-2022]

Source: CCN
Type: IBM Security Bulletin 6552330 (Netezza PDA OS Security)
Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security

Source: CCN
Type: IBM Security Bulletin 6556444 (Integrated Analytics System)
Vulnerability in Polkit affects IBM Integrated Analytics System.

Source: CCN
Type: IBM Security Bulletin 6556738 (App Connect Professional)
App Connect Professional is affected by polkit's pkexec vulnerability

Source: CCN
Type: IBM Security Bulletin 6557048 (Cloud Pak for Data System)
Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0

Source: CCN
Type: IBM Security Bulletin 6557222 (Cloud Pak for Data System)
Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0.

Source: CCN
Type: IBM Security Bulletin 6557426 (QRadar SIEM)
Polkit as used by IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2021-4034)

Source: CCN
Type: IBM Security Bulletin 6562471 (Spectrum Copy Data Management)
Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6562843 (Spectrum Protect Plus)
Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243)

Source: CCN
Type: IBM Security Bulletin 6568365 (QRadar Network Packet Capture)
IBM QRadar Network Packet Capture is using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6572981 (Security Guardium)
IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034)

Source: CCN
Type: IBM Security Bulletin 6583163 (TS7700 virtual tape systems)
TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 )

Source: CCN
Type: IBM Security Bulletin 6611089 (Cloud Pak System)
Vulnerability in polkit affects Cloud Pak System ( CVE-2021-4034)

Source: CCN
Type: Mend Vulnerability Database
CVE-2021-4034

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Exploit, Mitigation, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Third Party Advisory
secalert@redhat.com

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_network_packet_capture:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.14.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.9.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7646	P	libpolkit-agent-1-0-121-150500.1.6 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3059	P	e2fsprogs-1.43.8-3.8.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94689	P	libpolkit0-0.116-3.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94450	P	(Important)	2022-01-25
oval:org.opensuse.security:def:93140	P	(Important)	2022-01-25
oval:org.opensuse.security:def:100407	P	(Important)	2022-01-25
oval:com.redhat.rhsa:def:20220267	P	RHSA-2022:0267: polkit security update (Important)	2022-01-25
oval:org.opensuse.security:def:126891	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:6337	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:93815	P	(Important)	2022-01-25
oval:org.opensuse.security:def:99478	P	(Important)	2022-01-25
oval:org.opensuse.security:def:119412	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:93300	P	(Important)	2022-01-25
oval:org.opensuse.security:def:100741	P	(Important)	2022-01-25
oval:com.redhat.rhsa:def:20220269	P	RHSA-2022:0269: polkit security update (Important)	2022-01-25
oval:org.opensuse.security:def:127288	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:118726	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:94029	P	(Important)	2022-01-25
oval:org.opensuse.security:def:42188	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:99740	P	(Important)	2022-01-25
oval:org.opensuse.security:def:119597	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:5267	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:93458	P	(Important)	2022-01-25
oval:org.opensuse.security:def:101611	P	Security update for polkit (Important)	2022-01-25
oval:com.redhat.rhsa:def:20220274	P	RHSA-2022:0274: polkit security update (Important)	2022-01-25
oval:org.opensuse.security:def:118916	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:94241	P	(Important)	2022-01-25
oval:org.opensuse.security:def:42296	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:100069	P	(Important)	2022-01-25
oval:org.opensuse.security:def:125726	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:6061	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:93612	P	(Important)	2022-01-25
oval:org.opensuse.security:def:907	P	Security update for polkit (Important)	2022-01-25
oval:org.opensuse.security:def:99204	P	(Important)	2022-01-25
oval:org.opensuse.security:def:119222	P	Security update for polkit (Important)	2022-01-25

BACK