漏洞描述
受影响版本的 pkexec 无法正确处理调用参数计数,最终尝试将环境变量作为命令执行,攻击者可以通过修改环境变量来利用此漏洞,诱使 pkexec 执行任意代码,从而导致将本地权限提升为 root。
影响范围
由于为系统预装工具,目前主流 Linux 版本均受影响
参考安全版本
- centos6: polkit-0.96-11.e16_10.2
- centos7: polkit-0.112-26.el7_9.1
- centos8: polkit-0.115-13.el8_5.1
- centos8.2: polkit-0.115-11.el8_2.2
- centos8.4: polkit-0.115-11.el8_4.2
注意:CentOS7 的升级方法,参见: CentOS7 升级polkit版本,解决 Linux Polkit 存在权限提升的漏洞 (CVE-2021-4034)
演示环境检查
以下操作,是基于用CentOS 6演示 (本文使用更新源为 麒麟 的在线 yum 源),若需要在线升级,服务器需要可以访问 https://update.cs2c.com.cn/NS/V6/V6.10/os/lic/updates/x86_64/
[root@localhost ~]# cat /etc/redhat-release
CentOS release 6.10 (Final)
- 查看polkit是否为安全版本
[root@localhost ~]# rpm -qa polkit
polkit-0.96-11.el6.x86_64
离线升级操作
- 上传 polkit-0.96-11.el6_10.2.x86_64.rpm 到服务器,演示环境为 /tmp/rpm/ 目录下
离线更新包下载: polkit-0.96-11.el6_10.2.x86_64.rpm
[root@localhost ~]# ll /tmp/rpm/
polkit-0.96-11.el6_10.2.x86_64.rpm
- 执行 rpm 命令更新
[root@localhost ~]# rpm -Uvh /tmp/rpm/polkit-0.96-11.el6_10.2.x86_64.rpm
warning: /tmp/polkit-0.96-11.el6_10.2.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 7a486d9f: NOKEY
Preparing... ########################################### [100%]
1:polkit ########################################### [100%]
- 再次查看polkit版本
[root@localhost ~]# rpm -qa polkit
polkit-0.96-11.el6_10.2.x86_64
在线升级操作
- 修改yum源配置,演示环境使用 麒麟 更新地址
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ls
CentOS-Base.repo CentOS-CR.repo CentOS-Debuginfo.repo CentOS-fasttrack.repo CentOS-Media.repo CentOS-Sources.repo CentOS-Vault.repo CentOS-x86_64-kernel.repo
[root@localhost yum.repos.d]# mv CentOS-Base.repo CentOS-Base.repo.orig
[root@localhost yum.repos.d]# vi CentOS-Base.repo
- 拷贝一下内容到 CentOS-Base.repo 中
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-6.10 - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos-vault/6.10/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-6.10 - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=https://update.cs2c.com.cn/NS/V6/V6.10/os/lic/updates/x86_64/
gpgcheck=0
gpgkey=http://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-6.10 - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos-vault/6.10/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-6.10 - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos-vault/6.10/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-6.10 - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos-vault/6.10/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-6
- 升级到安全本版
[root@localhost yum.repos.d]# yum clean all && yum makecache
[root@localhost yum.repos.d]# yum update polkit -y
- 再次查看polkit版本
[root@localhost ~]# rpm -qa polkit
polkit-0.96-11.el6_10.2.x86_64