CVE-2021-4034

HIGH CISA KEV
Published Jan 28, 20224y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Jan 28, 2022 4y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed Jun 27, 2022 4y ago
KEV Due Jul 18, 2022 1448d overdue

Description

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 1448d
Added
Jun 27, 2022
Due
Jul 18, 2022

Apply updates per vendor instructions.

Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 2

CWE-125 Out-of-bounds Read Memory Safety
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 55

VendorProductVersionRange
polkit_projectpolkit* <121
redhatenterprise_linux_server_update_services_for_sap_solutions7.6any
redhatenterprise_linux_server_update_services_for_sap_solutions7.7any
redhatenterprise_linux8.0any
redhatenterprise_linux_desktop7.0any
redhatenterprise_linux_eus8.2any
redhatenterprise_linux_for_ibm_z_systems7.0any
redhatenterprise_linux_for_ibm_z_systems8.0any
redhatenterprise_linux_for_ibm_z_systems_eus8.2any
redhatenterprise_linux_for_ibm_z_systems_eus8.4any
redhatenterprise_linux_for_power_big_endian7.0any
redhatenterprise_linux_for_power_little_endian7.0any
redhatenterprise_linux_for_power_little_endian8.0any
redhatenterprise_linux_for_power_little_endian_eus8.1any
redhatenterprise_linux_for_power_little_endian_eus8.2any
redhatenterprise_linux_for_power_little_endian_eus8.4any
redhatenterprise_linux_for_scientific_computing7.0any
redhatenterprise_linux_server6.0any
redhatenterprise_linux_server7.0any
redhatenterprise_linux_server_aus7.3any
redhatenterprise_linux_server_aus7.4any
redhatenterprise_linux_server_aus7.6any
redhatenterprise_linux_server_aus7.7any
redhatenterprise_linux_server_aus8.2any
redhatenterprise_linux_server_aus8.4any
redhatenterprise_linux_server_eus8.4any
redhatenterprise_linux_server_tus7.6any
redhatenterprise_linux_server_tus7.7any
redhatenterprise_linux_server_tus8.2any
redhatenterprise_linux_server_tus8.4any
redhatenterprise_linux_server_update_services_for_sap_solutions8.1any
redhatenterprise_linux_server_update_services_for_sap_solutions8.2any
redhatenterprise_linux_server_update_services_for_sap_solutions8.4any
redhatenterprise_linux_workstation7.0any
canonicalubuntu_linux14.04any
canonicalubuntu_linux16.04any
canonicalubuntu_linux18.04any
canonicalubuntu_linux20.04any
canonicalubuntu_linux21.10any
suseenterprise_storage7.0any
suselinux_enterprise_high_performance_computing15.0any
susemanager_proxy4.1any
susemanager_server4.1any
suselinux_enterprise_desktop15any
suselinux_enterprise_server15any
suselinux_enterprise_server15any
suselinux_enterprise_workstation_extension12any
oraclehttp_server12.2.1.3.0any
oraclehttp_server12.2.1.4.0any
oraclezfs_storage_appliance_kit8.8any
siemenssinumerik_edge* <3.3.0
siemensscalance_lpe9403_firmware* <2.0
siemensscalance_lpe9403*any
starwindsoftwarecommand_center1.0any
starwindsoftwarestarwind_virtual_sanv8any

References 13

  • packetstormsecurity.com http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html
    ExploitThird Party AdvisoryVDB Entry
  • packetstormsecurity.com http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html
    Third Party AdvisoryVDB Entry
  • access.redhat.com https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
    MitigationVendor Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2025869
    Issue TrackingPatch
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf
    Third Party Advisory
  • gitlab.freedesktop.org https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
    Patch
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034
    US Government Resource
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • qualys.com https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
    ExploitMitigationThird Party Advisory
  • secpod.com https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/
    ExploitThird Party Advisory
  • starwindsoftware.com https://www.starwindsoftware.com/security/sw-20220818-0001/
    Third Party Advisory
  • suse.com https://www.suse.com/support/kb/doc/?id=000020564
    Third Party Advisory
  • vicarius.io https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034
    ExploitThird Party Advisory

Remediation

  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2025869
    Issue TrackingPatch
  • gitlab.freedesktop.org https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
    Patch
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory