Security Vulnerability CVE-2021-4034 (Polkit (Pwnkit))
  • 1 Minute to read
  • PDF

Security Vulnerability CVE-2021-4034 (Polkit (Pwnkit))

  • PDF

Article summary

Vulnerability Description

A memory corruption vulnerability has been found in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Vulnerability Details

Publication Date: Jan 28 2022

Vulnerability Link: NVD - CVE-2021-4034

NVD CVSS Score: 7.8

Affected CTERA Products

  • CTERA Portal (all versions)
  • CTERA Insight (all versions)

Note: CTERA Edge filer is not considered vulnerable as it does not provide shell access.

Analysis

The vulnerability is classified by CTERA as having low impact on CTERA Portal and CTERA Insight, since exploitation requires users with shell access and low privileges, and no such users are defined in the CTERA Portal OS or CTERA Insight Proxy server.

Workaround

Execute the following command on each CTERA Portal or CTERA Insight Proxy server.

1yum update polkit

Note: If you do not have internet access, contact CTERA Support. 

Permanent Solution

CTERA will be releasing a new version of CTERA Portal and CTERA Insight by end of February 2022 which will automatically resolve this vulnerability. 

Vulnerability Remediation


Was this article helpful?