CVE-2021-4034 PKEXEC exploit

Question

Hi All ,Currently there is a warning about pkexec described in https://isc.sans.edu/diary/rss/28272.I was able to validate PKEXEC tool existence as SUID binary on hyperscale nodes . This seems to be OS level application and not used by commvault software .I believe a simple chmod of this executable is enough to prevent the exploit of being used (chmod 0755 /usr/bin/pkexec)Is there any action item on Commvault to remediate this or this needs to be addressed by customer by applying OS patches ?

Aplynx · Accepted Answer

Development is reviewing this issue and will be addressing it, in the meantime you can use this workaround:

Vulnerability Name: CVE-2021-4034 - PwnKit
Vulnerability Description: A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system.

A temporary mitigation for operating systems that have yet to push a patch is to use the following command to strip pkexec of the setuid bit:

chmod 0755 /usr/bin/pkexec

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded