CVE-2021-4034

High · CVSS 7.8EPSS 94.9%CISA KEVCWE-787 · Out-of-bounds Write

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

References

NVD MITRE CVE.org CISA KEV

Published Jan 28, 2022

Community ground truth

Community verdict

3 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 3) — CVSS base score 7.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Tomáš NovákCurated
pkexec argv mishandling → trivial, 100%-reliable local root, present in default installs for 12+ years. No exotic conditions. First thing to try on any Linux foothold.
0
Remediation · Diego RamírezCurated
Patch polkit. Stopgap if you truly can't patch: chmod 0755 /usr/bin/pkexec (remove setuid) — breaks pkexec but kills the privesc.