IM
IronMonkey Threat Research

CVE-2021-4034 HIGH

Published: 2022-01-28 | Last Modified: 2025-11-06 | Status: Analyzed

Description

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Additional Descriptions (1)

Se encontró una vulnerabilidad de escalada de privilegios local en la utilidad pkexec de polkit. La aplicación pkexec es una herramienta setuid diseñada para permitir a usuarios sin privilegios ejecutar comandos como usuarios privilegiados de acuerdo con políticas predefinidas. La versión actual de pkexec no maneja correctamente el recuento de parámetros de llamada y termina intentando ejecutar variables de entorno como comandos. Un atacante puede aprovechar esto creando variables de entorno de tal manera que induzcan a pkexec a ejecutar código arbitrario. Cuando se ejecuta con éxito, el ataque puede provocar una escalada de privilegios locales otorgando a los usuarios sin privilegios derechos administrativos en la máquina de destino.

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Base Score: 7.2 (HIGH)

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access VectorLOCAL
Access ComplexityLOW
AuthenticationNONE
Confidentiality ImpactCOMPLETE
Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 10.0

Weaknesses

Source Type Description
[email protected] Secondary
en CWE-787
[email protected] Primary
en CWE-125
en CWE-787

Affected Products

Vendor Product Version Update Type
polkit_project polkit * <built-in method update of dict object at 0x72a9cc67a680> Application
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6 <built-in method update of dict object at 0x72a9cc661680> Application
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7 <built-in method update of dict object at 0x72a9b0b3af00> Application
redhat enterprise_linux 8.0 <built-in method update of dict object at 0x72a9b0aa7440> Operating System
redhat enterprise_linux_desktop 7.0 <built-in method update of dict object at 0x72a9cc679680> Operating System
redhat enterprise_linux_eus 8.2 <built-in method update of dict object at 0x72a9cc663580> Operating System
redhat enterprise_linux_for_ibm_z_systems 7.0 <built-in method update of dict object at 0x72a9cc6798c0> Operating System
redhat enterprise_linux_for_ibm_z_systems 8.0 <built-in method update of dict object at 0x72a9cc679b00> Operating System
redhat enterprise_linux_for_ibm_z_systems_eus 8.2 <built-in method update of dict object at 0x72a9b0b3bfc0> Operating System
redhat enterprise_linux_for_ibm_z_systems_eus 8.4 <built-in method update of dict object at 0x72a9cc67bd80> Operating System
redhat enterprise_linux_for_power_big_endian 7.0 <built-in method update of dict object at 0x72a9cc777200> Operating System
redhat enterprise_linux_for_power_little_endian 7.0 <built-in method update of dict object at 0x72a9ccd2a140> Operating System
redhat enterprise_linux_for_power_little_endian 8.0 <built-in method update of dict object at 0x72a9cc591480> Operating System
redhat enterprise_linux_for_power_little_endian_eus 8.1 <built-in method update of dict object at 0x72a9b0b3bb40> Operating System
redhat enterprise_linux_for_power_little_endian_eus 8.2 <built-in method update of dict object at 0x72a9cc591e40> Operating System
redhat enterprise_linux_for_power_little_endian_eus 8.4 <built-in method update of dict object at 0x72a9b0b3adc0> Operating System
redhat enterprise_linux_for_scientific_computing 7.0 <built-in method update of dict object at 0x72a9cc663480> Operating System
redhat enterprise_linux_server 6.0 <built-in method update of dict object at 0x72a9cc67ab00> Operating System
redhat enterprise_linux_server 7.0 <built-in method update of dict object at 0x72a9cc661f00> Operating System
redhat enterprise_linux_server_aus 7.3 <built-in method update of dict object at 0x72a9cc523880> Operating System
redhat enterprise_linux_server_aus 7.4 <built-in method update of dict object at 0x72a9cc7763c0> Operating System
redhat enterprise_linux_server_aus 7.6 <built-in method update of dict object at 0x72a9b0b38400> Operating System
redhat enterprise_linux_server_aus 7.7 <built-in method update of dict object at 0x72a9ccd297c0> Operating System
redhat enterprise_linux_server_aus 8.2 <built-in method update of dict object at 0x72a9b0b3a080> Operating System
redhat enterprise_linux_server_aus 8.4 <built-in method update of dict object at 0x72a9ccd2be40> Operating System
redhat enterprise_linux_server_eus 8.4 <built-in method update of dict object at 0x72a9cc6db280> Operating System
redhat enterprise_linux_server_tus 7.6 <built-in method update of dict object at 0x72a9ccd2acc0> Operating System
redhat enterprise_linux_server_tus 7.7 <built-in method update of dict object at 0x72a9cc6792c0> Operating System
redhat enterprise_linux_server_tus 8.2 <built-in method update of dict object at 0x72a9cc678600> Operating System
redhat enterprise_linux_server_tus 8.4 <built-in method update of dict object at 0x72a9cd0da880> Operating System
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1 <built-in method update of dict object at 0x72a9cd0d96c0> Operating System
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2 <built-in method update of dict object at 0x72a9cd0dacc0> Operating System
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4 <built-in method update of dict object at 0x72a9b0b39340> Operating System
redhat enterprise_linux_workstation 7.0 <built-in method update of dict object at 0x72a9cd085180> Operating System
canonical ubuntu_linux 14.04 <built-in method update of dict object at 0x72a9cd087880> Operating System
canonical ubuntu_linux 16.04 <built-in method update of dict object at 0x72a9cd08ed00> Operating System
canonical ubuntu_linux 18.04 <built-in method update of dict object at 0x72a9cc67b940> Operating System
canonical ubuntu_linux 20.04 <built-in method update of dict object at 0x72a9cc679740> Operating System
canonical ubuntu_linux 21.10 <built-in method update of dict object at 0x72a9cc678340> Operating System
suse enterprise_storage 7.0 <built-in method update of dict object at 0x72a9cd08e180> Application
suse linux_enterprise_high_performance_computing 15.0 <built-in method update of dict object at 0x72a9ccd2ac00> Application
suse manager_proxy 4.1 <built-in method update of dict object at 0x72a9cd08cb00> Application
suse manager_server 4.1 <built-in method update of dict object at 0x72a9cd08e740> Application
suse linux_enterprise_desktop 15 <built-in method update of dict object at 0x72a9cd08da80> Operating System
suse linux_enterprise_server 15 <built-in method update of dict object at 0x72a9cd08cb80> Operating System
suse linux_enterprise_server 15 <built-in method update of dict object at 0x72a9cd08ed40> Operating System
suse linux_enterprise_workstation_extension 12 <built-in method update of dict object at 0x72a9cd08c340> Operating System
oracle http_server 12.2.1.3.0 <built-in method update of dict object at 0x72a9cd08c080> Application
oracle http_server 12.2.1.4.0 <built-in method update of dict object at 0x72a9cd08d340> Application
oracle zfs_storage_appliance_kit 8.8 <built-in method update of dict object at 0x72a9cd08e540> Application
siemens sinumerik_edge * <built-in method update of dict object at 0x72a9cd08ff80> Application
siemens scalance_lpe9403_firmware * <built-in method update of dict object at 0x72a9cd08f640> Operating System
starwindsoftware command_center 1.0 <built-in method update of dict object at 0x72a9cd08c6c0> Application
starwindsoftware starwind_virtual_san v8 <built-in method update of dict object at 0x72a9cd08c7c0> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
Yes cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_eus:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
Yes cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Yes cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:suse:enterprise_storage:7.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:suse:linux_enterprise_high_performance_computing:15.0:sp2:*:*:-:*:*:*
Yes cpe:2.3:a:suse:manager_proxy:4.1:*:*:*:*:*:*:*
Yes cpe:2.3:a:suse:manager_server:4.1:*:*:*:*:*:*:*
Yes cpe:2.3:o:suse:linux_enterprise_desktop:15:sp2:*:*:*:*:*:*
Yes cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:-:*:*
Yes cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:sap:*:*
Yes cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:siemens:sinumerik_edge:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:siemens:scalance_lpe9403_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:siemens:scalance_lpe9403:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:starwindsoftware:command_center:1.0:update3_build5871:*:*:*:*:*:*
Yes cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build14338:*:*:*:*:*:*

References

Notification
Message here