Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-4034

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Published

2022-01-28T20:15:12.193

Last Modified

2025-04-03T18:53:12.960

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-787
Type: Primary
CWE-125
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	polkit_project	polkit	< 121	Yes
Application	redhat	enterprise_linux_server_update_services_for_sap_solutions	7.6	Yes
Application	redhat	enterprise_linux_server_update_services_for_sap_solutions	7.7	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Operating System	redhat	enterprise_linux_desktop	7.0	Yes
Operating System	redhat	enterprise_linux_eus	8.2	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems	7.0	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems	8.0	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems_eus	8.2	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems_eus	8.4	Yes
Operating System	redhat	enterprise_linux_for_power_big_endian	7.0	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian	7.0	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian	8.0	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian_eus	8.1	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian_eus	8.2	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian_eus	8.4	Yes
Operating System	redhat	enterprise_linux_for_scientific_computing	7.0	Yes
Operating System	redhat	enterprise_linux_server	6.0	Yes
Operating System	redhat	enterprise_linux_server	7.0	Yes
Operating System	redhat	enterprise_linux_server_aus	7.3	Yes
Operating System	redhat	enterprise_linux_server_aus	7.4	Yes
Operating System	redhat	enterprise_linux_server_aus	7.6	Yes
Operating System	redhat	enterprise_linux_server_aus	7.7	Yes
Operating System	redhat	enterprise_linux_server_aus	8.2	Yes
Operating System	redhat	enterprise_linux_server_aus	8.4	Yes
Operating System	redhat	enterprise_linux_server_eus	8.4	Yes
Operating System	redhat	enterprise_linux_server_tus	7.6	Yes
Operating System	redhat	enterprise_linux_server_tus	7.7	Yes
Operating System	redhat	enterprise_linux_server_tus	8.2	Yes
Operating System	redhat	enterprise_linux_server_tus	8.4	Yes
Operating System	redhat	enterprise_linux_server_update_services_for_sap_solutions	8.1	Yes
Operating System	redhat	enterprise_linux_server_update_services_for_sap_solutions	8.2	Yes
Operating System	redhat	enterprise_linux_server_update_services_for_sap_solutions	8.4	Yes
Operating System	redhat	enterprise_linux_workstation	7.0	Yes
Operating System	canonical	ubuntu_linux	14.04	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	20.04	Yes
Operating System	canonical	ubuntu_linux	21.10	Yes
Application	suse	enterprise_storage	7.0	Yes
Application	suse	linux_enterprise_high_performance_computing	15.0	Yes
Application	suse	manager_proxy	4.1	Yes
Application	suse	manager_server	4.1	Yes
Operating System	suse	linux_enterprise_desktop	15	Yes
Operating System	suse	linux_enterprise_server	15	Yes
Operating System	suse	linux_enterprise_server	15	Yes
Operating System	suse	linux_enterprise_workstation_extension	12	Yes
Application	oracle	http_server	12.2.1.3.0	Yes
Application	oracle	http_server	12.2.1.4.0	Yes
Application	oracle	zfs_storage_appliance_kit	8.8	Yes
Application	siemens	sinumerik_edge	< 3.3.0	Yes
Operating System	siemens	scalance_lpe9403_firmware	< 2.0	Yes
Hardware	siemens	scalance_lpe9403	-	No
Application	starwindsoftware	command_center	1.0	Yes
Application	starwindsoftware	starwind_virtual_san	v8	Yes

References

http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html Exploit, Third Party Advisory, VDB Entry ([email protected])
http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 Mitigation, Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2025869 Issue Tracking, Patch ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf Third Party Advisory ([email protected])
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Patch ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exploit, Mitigation, Third Party Advisory ([email protected])
https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/ Exploit, Third Party Advisory ([email protected])
https://www.starwindsoftware.com/security/sw-20220818-0001/ Third Party Advisory ([email protected])
https://www.suse.com/support/kb/doc/?id=000020564 Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2025869 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.starwindsoftware.com/security/sw-20220818-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.suse.com/support/kb/doc/?id=000020564 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)