“Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
It is also possible to use Polkit to execute commands with elevated privileges using the command
pkexecfollowed by the command intended to be executed (with root permission)”
A critical vulnerability has been made public in this component with CVE-2021-4034. According to the researchers who found the issue, this component was vulnerable since its creation in May 2009 and any unprivileged local user could exploit it to obtain root privileges.
Timeline
- 2021-11-18: Advisory sent to secalert@redhat.
- 2022-01-11: Advisory and patch sent to distros@openwall.
- 2022-01-25: Coordinated Release Date (5:00 PM UTC).
How is Pagely Affected?
All our customers were updated immediately on the same day this vulnerability was public. Rest assured that your Pagely sites are protected.
For further information on how the vulnerability can be exploited, see also the original advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt