certfr_avis - certfr-2022-avi-083

CERTFR-2022-AVI-083

Vulnerability from certfr_avis

Une vulnérabilité a été découverte dans pkexec de PolicyKit sur Ubuntu. Elle permet à un attaquant de provoquer une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu versions 20.04 sans le correctif policykit-1 - 0.105-26ubuntu1.2
Ubuntu	Ubuntu	Ubuntu versions 16.04 sans le correctif policykit-1 - 0.105-14.1ubuntu0.5+esm1
Ubuntu	Ubuntu	Ubuntu versions 18.04 sans le correctif policykit-1 - 0.105-20ubuntu0.18.04.6
Ubuntu	Ubuntu	Ubuntu versions 21.10 sans le correctif policykit-1 - 0.105-31ubuntu0.1
Ubuntu	Ubuntu	Ubuntu versions 14.04 sans le correctif policykit-1 - 0.105-4ubuntu3.14.04.6+esm1

References

Title

Publication Time

Tags

Bulletin de sécurité Ubuntu USN-5252-2 du 25 janvier 2022	None	vendor-advisory
Bulletin de sécurité Ubuntu USN-5252-1 du 25 janvier 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ubuntu versions 20.04 sans le correctif policykit-1 - 0.105-26ubuntu1.2",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu versions 16.04 sans le correctif policykit-1 - 0.105-14.1ubuntu0.5+esm1",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu versions 18.04 sans le correctif policykit-1 - 0.105-20ubuntu0.18.04.6",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu versions 21.10 sans le correctif policykit-1 - 0.105-31ubuntu0.1",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu versions 14.04 sans le correctif policykit-1 - 0.105-4ubuntu3.14.04.6+esm1",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-4034",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4034"
    }
  ],
  "initial_release_date": "2022-01-27T00:00:00",
  "last_revision_date": "2022-01-27T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-083",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-01-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans pkexec de PolicyKit sur Ubuntu.\nElle permet \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans pkexec de PolicyKit sur Ubuntu",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-5252-2 du 25 janvier 2022",
      "url": "https://ubuntu.com/security/notices/USN-5252-2"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-5252-1 du 25 janvier 2022",
      "url": "https://ubuntu.com/security/notices/USN-5252-1"
    }
  ]
}

CVE-2021-4034 (GCVE-0-2021-4034)

Vulnerability from cvelistv5

Published

2022-01-28 00:00

Modified

2025-10-21 23:15

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - (|CWE-125)

Summary

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

References

URL

Tags

	https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
	https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
	https://bugzilla.redhat.com/show_bug.cgi?id=2025869
	https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
	https://www.oracle.com/security-alerts/cpuapr2022.html
	http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
	http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
	https://www.suse.com/support/kb/doc/?id=000020564
	https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
	https://www.starwindsoftware.com/security/sw-20220818-0001/
	https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/

Impacted products

	Vendor	Product	Version
	n/a	polkit	Version: all

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-23T18:05:54.355Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2022-001"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025869"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.suse.com/support/kb/doc/?id=000020564"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.starwindsoftware.com/security/sw-20220818-0001/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-4034",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-12T10:21:57.857346Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-06-27",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:48.549Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-06-27T00:00:00+00:00",
            "value": "CVE-2021-4034 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "polkit",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A local privilege escalation vulnerability was found on polkit\u0027s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn\u0027t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it\u0027ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "(CWE-787|CWE-125)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-18T00:16:44.133Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2022-001"
        },
        {
          "url": "https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025869"
        },
        {
          "url": "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html"
        },
        {
          "url": "https://www.suse.com/support/kb/doc/?id=000020564"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf"
        },
        {
          "url": "https://www.starwindsoftware.com/security/sw-20220818-0001/"
        },
        {
          "url": "https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-4034",
    "datePublished": "2022-01-28T00:00:00.000Z",
    "dateReserved": "2021-11-29T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:48.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTFR-2022-AVI-083

Vulnerability from certfr_avis

Solution

CVE-2021-4034 (GCVE-0-2021-4034)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature