- 1 Minute to read
- Print
- PDF
Security Vulnerability CVE-2021-4034 (Polkit (Pwnkit))
- 1 Minute to read
- Print
- PDF
Vulnerability Description
A memory corruption vulnerability has been found in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
Vulnerability Details
Publication Date: Jan 28 2022
Vulnerability Link: NVD - CVE-2021-4034
NVD CVSS Score: 7.8
Affected CTERA Products
- CTERA Portal (all versions)
- CTERA Insight (all versions)
Note: CTERA Edge filer is not considered vulnerable as it does not provide shell access.
Analysis
The vulnerability is classified by CTERA as having low impact on CTERA Portal and CTERA Insight, since exploitation requires users with shell access and low privileges, and no such users are defined in the CTERA Portal OS or CTERA Insight Proxy server.
Workaround
Execute the following command on each CTERA Portal or CTERA Insight Proxy server.
1yum update polkit
Note: If you do not have internet access, contact CTERA Support.
Permanent Solution
CTERA will be releasing a new version of CTERA Portal and CTERA Insight by end of February 2022 which will automatically resolve this vulnerability.