CVE-2021-4034

EUVD-2021-33934

28.01.2022, 20:15

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
polkit_project	polkit	𝑥 < 121
redhat	enterprise_linux_server_update_services_for_sap_solutions	7.6
redhat	enterprise_linux_server_update_services_for_sap_solutions	7.7
redhat	enterprise_linux	8.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_eus	8.2
redhat	enterprise_linux_for_ibm_z_systems	7.0
redhat	enterprise_linux_for_ibm_z_systems	8.0
redhat	enterprise_linux_for_ibm_z_systems_eus	8.2
redhat	enterprise_linux_for_ibm_z_systems_eus	8.4
redhat	enterprise_linux_for_power_big_endian	7.0
redhat	enterprise_linux_for_power_little_endian	7.0
redhat	enterprise_linux_for_power_little_endian	8.0
redhat	enterprise_linux_for_power_little_endian_eus	8.1
redhat	enterprise_linux_for_power_little_endian_eus	8.2
redhat	enterprise_linux_for_power_little_endian_eus	8.4
redhat	enterprise_linux_for_scientific_computing	7.0
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.3
redhat	enterprise_linux_server_aus	7.4
redhat	enterprise_linux_server_aus	7.6
redhat	enterprise_linux_server_aus	7.7
redhat	enterprise_linux_server_aus	8.2
redhat	enterprise_linux_server_aus	8.4
redhat	enterprise_linux_server_eus	8.4
redhat	enterprise_linux_server_tus	7.6
redhat	enterprise_linux_server_tus	7.7
redhat	enterprise_linux_server_tus	8.2
redhat	enterprise_linux_server_tus	8.4
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.1
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.2
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.4
redhat	enterprise_linux_workstation	7.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	20.04
canonical	ubuntu_linux	21.10
suse	enterprise_storage	7.0
suse	linux_enterprise_high_performance_computing	15.0:sp2
suse	manager_proxy	4.1
suse	manager_server	4.1
oracle	http_server	12.2.1.3.0
oracle	http_server	12.2.1.4.0
oracle	zfs_storage_appliance_kit	8.8
siemens	sinumerik_edge	𝑥 < 3.3.0
siemens	scalance_lpe9403_firmware	𝑥 < 2.0
starwindsoftware	command_center	1.0:update3_build5871

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

policykit-1

bookworm	122-3 fixed
bullseye	0.105-31+deb11u1 fixed
bullseye (security)	0.105-31+deb11u1 fixed
sid	125-2 fixed
trixie	125-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

policykit-1

bionic	Fixed 0.105-20ubuntu0.18.04.6 released
focal	Fixed 0.105-26ubuntu1.2 released
hirsute	ignored
impish	Fixed 0.105-31ubuntu0.1 released
jammy	Fixed 0.105-31ubuntu1 released
trusty	Fixed 0.105-4ubuntu3.14.04.6+esm1 released
xenial	Fixed 0.105-14.1ubuntu0.5+esm1 released