CVE-2021-4034 Polkit Vulnerability

Has CVE-2021-4034 been patched? Do I need to remove the SUID bit from pkexec?

Updates are on their way to stable (edit: they are on stable now):

Fedora 35: https://bodhi.fedoraproject.org/updates/FEDORA-2022-da040e6b94
Fedora 34: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1acf1bb522

4 Likes

Apparently this has been hiding for 12 years. The video shows the exploit on an up-to-date Debian and is shockingly simple to execute.

1 Like

Hi, Ersen,

We’d like to fix CVE-2021-4034 on our Fedora 33. I just wonder if you are planning to release a fix for Fedora 33 as you have done for 34 and 35.

I tried the RPM for 35. but I have dependency issues:

===========
[localhost CVE-2021-4034_fix]$ uname -r
5.10.19-200.fc33.x86_64
[localhost CVE-2021-4034_fix]$ ls
polkit-0.120-1.fc35.1.x86_64.rpm polkit-debugsource-0.120-1.fc35.1.x86_64.rpm polkit-libs-0.120-1.fc35.1.x86_64.rpm
polkit-debuginfo-0.120-1.fc35.1.x86_64.rpm polkit-devel-0.120-1.fc35.1.x86_64.rpm polkit-libs-debuginfo-0.120-1.fc35.1.x86_64.rpm
[localhost CVE-2021-4034_fix]$ sudo rpm-ostree install polkit-0.120-1.fc35.1.x86_64.rpm
Checking out tree 7e0bab1… done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora updates-archive
rpm-md repo ‘fedora-cisco-openh264’ (cached); generated: 2020-08-25T19:10:34Z
rpm-md repo ‘updates’ (cached); generated: 2021-11-30T02:18:36Z
rpm-md repo ‘fedora’ (cached); generated: 2020-10-19T23:27:19Z
rpm-md repo ‘updates-archive’ (cached); generated: 2021-11-30T02:51:57Z
Importing rpm-md… done
Resolving dependencies… done
error: Could not depsolve transaction; 1 problem detected:
Problem: conflicting requests

  • nothing provides polkit-libs(x86-64) = 0.120-1.fc35.1 needed by polkit-0.120-1.fc35.1.x86_64
  • nothing provides libc.so.6(GLIBC_2.33)(64bit) needed by polkit-0.120-1.fc35.1.x86_64
  • nothing provides libc.so.6(GLIBC_2.34)(64bit) needed by polkit-0.120-1.fc35.1.x86_64
    [localhost CVE-2021-4034_fix]$ ls -l /usr/bin/pkexec
    -rwsr-xr-x. 4 root root 32488 Jan 1 1970 /usr/bin/pkexec
    =====
    Your advises are greatly appreciated!
1 Like

Sorry, but Fedora Linux 33 is EOL (end of life) since some months. It doesn’t receive updates anymore.

https://docs.fedoraproject.org/en-US/releases/eol/

2 Likes

As @alciregi has pointed out, Fedora 33 has reached its end of life on 2021-11-30 and no longer receives any updates. You should upgrade to a supported version of Fedora (preferably 35 since Fedora 34 has less than 4 months for its end of life):

https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/

Thanks for the info. I am kind of new to Fedora.
So the latest stable Fedora 35 has the Polkit’s pkexec fix? can you share url to download 35 stable?

1 Like

Yes, both Fedora 34 and Fedora 35 have Polkit patched for CVE-2021-4034. You can use the Fedora Docs link I have shared above to do an inplace upgrade, or you can do a clean install with Fedora 35 Live ISO:

1 Like

Many Thanks, Ensen!

1 Like

Sorry, one more question: Could you share the url for Fedora 35 OVA -x86_64? The equivalent of this link for 33 OVA: (https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/33.20210301.3.1/x86_64/fedora-coreos-33.20210301.3.1-vmware.x86_64.ova)

many thanks!

1 Like

Not sure but looks like this: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/35.20220116.3.0/x86_64/fedora-coreos-35.20220116.3.0-vmware.x86_64.ova

I have found it on the downloads section of Fedora CoreOS page:

Hi, Ersen,
I did a upgrade because it is quicker than rebuild a new OVA. So I did the following:

  1. On my Fedora 33, I did an upgrade by running “sudo rpm-ostree upgrade” and then “systemctl reboot”, as a result =, my system is now on 5.15.17-200.fc35.x86_64.

  2. Now how do I verify the polkit issue is fixed? because when I did ls
    $ ls -l /usr/bin/pkexec
    -rwsr-xr-x. 4 root root 32488 Jan 1 1970 /usr/bin/pkexec
    that bit is still “s”. is the patch “polkit-0.120-1.fc35.1.x86_64” supposed to change that bit? or it fix the issue in a different way?

  3. for the sake of making sure the patch is included. I did another install of the package
    $ sudo rpm-ostree install polkit-0.120-1.fc35.1.x86_64.rpm
    error: Package ‘polkit-0.120-1.fc35.1.x86_64’ is already in the base

this seems to indicate the needed package installed.

please advise how should I verify the fix?

regards,

1 Like

polkit-0.120-1.fc35.1.x86_64 includes the patch to mitigate the issue (Note that the release part of the package name is 1.fc35.1, which includes the patch, and not 1.fc35). You can see it in the Fedora source repo: Tree - rpms/polkit - src.fedoraproject.org

The patch doesn’t change SUID bit. You can examine it here if you know C programming: pkexec: local privilege escalation (CVE-2021-4034) (a2bf5c9c) · Commits · polkit / polkit · GitLab

To actually verify it, there are some PoC (proof of concept) C programs on the internet. You can consult to someone more knowledgeable about C programming and security if you really want to be sure that your systems are not vulnerable and patched.

many thanks!

1 Like