CVE-2021-4034 Polkit Vulnerability

ggalt · January 26, 2022, 4:45pm

Has CVE-2021-4034 been patched? Do I need to remove the SUID bit from pkexec?

ersen · January 26, 2022, 5:28pm

Updates are on their way to stable (edit: they are on stable now):

Fedora 35: https://bodhi.fedoraproject.org/updates/FEDORA-2022-da040e6b94
Fedora 34: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1acf1bb522

sierraechogolf · January 27, 2022, 6:56am

Apparently this has been hiding for 12 years. The video shows the exploit on an up-to-date Debian and is shockingly simple to execute.

kgqian · February 4, 2022, 4:28pm

Hi, Ersen,

We’d like to fix CVE-2021-4034 on our Fedora 33. I just wonder if you are planning to release a fix for Fedora 33 as you have done for 34 and 35.

I tried the RPM for 35. but I have dependency issues:

===========
[localhost CVE-2021-4034_fix]$ uname -r
5.10.19-200.fc33.x86_64
[localhost CVE-2021-4034_fix]$ ls
polkit-0.120-1.fc35.1.x86_64.rpm polkit-debugsource-0.120-1.fc35.1.x86_64.rpm polkit-libs-0.120-1.fc35.1.x86_64.rpm
polkit-debuginfo-0.120-1.fc35.1.x86_64.rpm polkit-devel-0.120-1.fc35.1.x86_64.rpm polkit-libs-debuginfo-0.120-1.fc35.1.x86_64.rpm
[localhost CVE-2021-4034_fix]$ sudo rpm-ostree install polkit-0.120-1.fc35.1.x86_64.rpm
Checking out tree 7e0bab1… done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora updates-archive
rpm-md repo ‘fedora-cisco-openh264’ (cached); generated: 2020-08-25T19:10:34Z
rpm-md repo ‘updates’ (cached); generated: 2021-11-30T02:18:36Z
rpm-md repo ‘fedora’ (cached); generated: 2020-10-19T23:27:19Z
rpm-md repo ‘updates-archive’ (cached); generated: 2021-11-30T02:51:57Z
Importing rpm-md… done
Resolving dependencies… done
error: Could not depsolve transaction; 1 problem detected:
Problem: conflicting requests

nothing provides polkit-libs(x86-64) = 0.120-1.fc35.1 needed by polkit-0.120-1.fc35.1.x86_64
nothing provides libc.so.6(GLIBC_2.33)(64bit) needed by polkit-0.120-1.fc35.1.x86_64
nothing provides libc.so.6(GLIBC_2.34)(64bit) needed by polkit-0.120-1.fc35.1.x86_64
[localhost CVE-2021-4034_fix]$ ls -l /usr/bin/pkexec
-rwsr-xr-x. 4 root root 32488 Jan 1 1970 /usr/bin/pkexec
=====
Your advises are greatly appreciated!

alciregi · February 4, 2022, 5:36pm

Sorry, but Fedora Linux 33 is EOL (end of life) since some months. It doesn’t receive updates anymore.

ersen · February 4, 2022, 5:46pm

As @alciregi has pointed out, Fedora 33 has reached its end of life on 2021-11-30 and no longer receives any updates. You should upgrade to a supported version of Fedora (preferably 35 since Fedora 34 has less than 4 months for its end of life):

kgqian · February 4, 2022, 5:59pm

Thanks for the info. I am kind of new to Fedora.
So the latest stable Fedora 35 has the Polkit’s pkexec fix? can you share url to download 35 stable?

ersen · February 4, 2022, 6:05pm

Yes, both Fedora 34 and Fedora 35 have Polkit patched for CVE-2021-4034. You can use the Fedora Docs link I have shared above to do an inplace upgrade, or you can do a clean install with Fedora 35 Live ISO:

https://getfedora.org/en/workstation/download/

kgqian · February 4, 2022, 6:10pm

Many Thanks, Ensen!

kgqian · February 4, 2022, 6:37pm

Sorry, one more question: Could you share the url for Fedora 35 OVA -x86_64? The equivalent of this link for 33 OVA: (https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/33.20210301.3.1/x86_64/fedora-coreos-33.20210301.3.1-vmware.x86_64.ova)

many thanks!

ersen · February 4, 2022, 6:44pm

Not sure but looks like this: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/35.20220116.3.0/x86_64/fedora-coreos-35.20220116.3.0-vmware.x86_64.ova

I have found it on the downloads section of Fedora CoreOS page:

kgqian · February 4, 2022, 8:23pm

Hi, Ersen,
I did a upgrade because it is quicker than rebuild a new OVA. So I did the following:

On my Fedora 33, I did an upgrade by running “sudo rpm-ostree upgrade” and then “systemctl reboot”, as a result =, my system is now on 5.15.17-200.fc35.x86_64.
Now how do I verify the polkit issue is fixed? because when I did ls
$ ls -l /usr/bin/pkexec
-rwsr-xr-x. 4 root root 32488 Jan 1 1970 /usr/bin/pkexec
that bit is still “s”. is the patch “polkit-0.120-1.fc35.1.x86_64” supposed to change that bit? or it fix the issue in a different way?
for the sake of making sure the patch is included. I did another install of the package
$ sudo rpm-ostree install polkit-0.120-1.fc35.1.x86_64.rpm
error: Package ‘polkit-0.120-1.fc35.1.x86_64’ is already in the base

this seems to indicate the needed package installed.

please advise how should I verify the fix?

regards,

ersen · February 5, 2022, 8:07am

polkit-0.120-1.fc35.1.x86_64 includes the patch to mitigate the issue (Note that the release part of the package name is 1.fc35.1, which includes the patch, and not 1.fc35). You can see it in the Fedora source repo: https://src.fedoraproject.org/rpms/polkit/tree/f35

The patch doesn’t change SUID bit. You can examine it here if you know C programming: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

To actually verify it, there are some PoC (proof of concept) C programs on the internet. You can consult to someone more knowledgeable about C programming and security if you really want to be sure that your systems are not vulnerable and patched.

kgqian · February 5, 2022, 1:32pm

many thanks!