// For flags

CVE-2021-4034

Red Hat Polkit Out-of-Bounds Read and Write Vulnerability

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

33
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

Act
*SSVC
Descriptions

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Se encontró una vulnerabilidad de escalada de privilegios local en la utilidad pkexec de polkit. La aplicación pkexec es una herramienta setuid diseñada para permitir a usuarios sin privilegios ejecutar comandos como usuarios privilegiados de acuerdo con políticas predefinidas. La versión actual de pkexec no maneja correctamente el recuento de parámetros de llamada y termina intentando ejecutar variables de entorno como comandos. Un atacante puede aprovechar esto creando variables de entorno de tal manera que induzcan a pkexec a ejecutar código arbitrario. Cuando se ejecuta con éxito, el ataque puede provocar una escalada de privilegios locales otorgando a los usuarios sin privilegios derechos administrativos en la máquina de destino.

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Act
Exploitation
Active
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-11-29 CVE Reserved
  • 2022-01-26 CVE Published
  • 2022-01-26 First Exploit
  • 2022-06-27 Exploited in Wild
  • 2022-07-18 KEV Due Date
  • 2024-11-04 CVE Updated
  • 2024-11-23 EPSS Updated
CWE
  • CWE-20: Improper Input Validation
  • CWE-125: Out-of-bounds Read
  • CWE-787: Out-of-bounds Write
CAPEC
References (43)
URL Tag Source
http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220818-0001 Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000020564 Third Party Advisory
-
URL Date SRC
https://github.com/dzonerzy/poc-cve-2021-4034 2022-01-26
https://github.com/arthepsy/CVE-2021-4034 2022-01-26
https://github.com/berdav/CVE-2021-4034 2022-01-30
https://www.exploit-db.com/exploits/50689 2022-01-27
https://github.com/PwnFunction/CVE-2021-4034 2022-04-09
https://github.com/joeammond/CVE-2021-4034 2022-01-28
https://github.com/nikaiw/CVE-2021-4034 2022-01-26
https://github.com/ryaagard/CVE-2021-4034 2022-01-26
https://github.com/Rvn0xsy/CVE-2021-4034 2022-01-28
https://github.com/Ayrx/CVE-2021-4034 2022-01-27
https://github.com/zhzyker/CVE-2021-4034 2022-01-27
https://github.com/EstamelGG/CVE-2021-4034-NoGCC 2022-02-09
https://github.com/c3c/CVE-2021-4034 2022-03-30
https://github.com/dadvlingd/CVE-2021-4034 2023-02-19
https://github.com/mebeim/CVE-2021-4034 2022-01-26
https://github.com/ck00004/CVE-2021-4034 2022-02-15
https://github.com/NeonWhiteRabbit/CVE-2021-4034 2022-01-28
https://github.com/rvizx/CVE-2021-4034 2022-07-19
https://github.com/Y3A/CVE-2021-4034 2023-07-20
https://github.com/An00bRektn/CVE-2021-4034 2022-01-27
https://github.com/chenaotian/CVE-2021-4034 2022-05-23
https://github.com/Al1ex/CVE-2021-4034 2022-01-27
https://github.com/Audiobahn/CVE-2021-4034 2022-01-26
https://github.com/Yakumwamba/POC-CVE-2021-4034 2022-01-28
https://github.com/NiS3x/CVE-2021-4034 2022-01-27
https://github.com/Kirill89/CVE-2021-4034 2022-01-28
https://github.com/clubby789/CVE-2021-4034 2022-01-26
https://github.com/sofire/polkit-0.96-CVE-2021-4034 2022-01-29
https://github.com/ch4rum/CVE-2021-4034 2022-01-27
https://github.com/nobelh/CVE-2021-4034 2022-03-03
http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html 2024-11-04
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt 2024-11-04
https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034 2024-11-04
URL Date SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2025869 2022-02-15
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 2024-06-28
https://www.oracle.com/security-alerts/cpuapr2022.html 2024-06-28
URL Date SRC
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 2022-02-15
https://access.redhat.com/security/cve/CVE-2021-4034 2022-02-15
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Siemens
Search vendor "Siemens"
 Scalance Lpe9403 Firmware
Search vendor "Siemens" for product "Scalance Lpe9403 Firmware"
 < 2.0
Search vendor "Siemens" for product "Scalance Lpe9403 Firmware" and version " < 2.0"
-
Affected
in Siemens
Search vendor "Siemens"
 Scalance Lpe9403
Search vendor "Siemens" for product "Scalance Lpe9403"
--
Safe
Polkit Project
Search vendor "Polkit Project"
 Polkit
Search vendor "Polkit Project" for product "Polkit"
 < 121
Search vendor "Polkit Project" for product "Polkit" and version " < 121"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
 7.6
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
 7.7
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "7.7"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Eus
Search vendor "Redhat" for product "Enterprise Linux Eus"
 8.2
Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems Eus
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"
 8.2
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems Eus
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"
 8.4
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Big Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian Eus
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"
 8.1
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.1"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian Eus
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"
 8.2
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian Eus
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"
 8.4
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Scientific Computing
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"
 7.0
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
 6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 7.3
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.3"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 7.4
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 7.6
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 7.7
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.7"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 8.2
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 8.4
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
 8.4
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
 7.6
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
 7.7
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.7"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
 8.2
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
 8.4
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
 8.1
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.1"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
 8.2
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
 8.4
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 20.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 21.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "21.10"
-
Affected
Suse
Search vendor "Suse"
 Enterprise Storage
Search vendor "Suse" for product "Enterprise Storage"
 7.0
Search vendor "Suse" for product "Enterprise Storage" and version "7.0"
-
Affected
Suse
Search vendor "Suse"
 Linux Enterprise High Performance Computing
Search vendor "Suse" for product "Linux Enterprise High Performance Computing"
 15.0
Search vendor "Suse" for product "Linux Enterprise High Performance Computing" and version "15.0"
sp2
Affected
Suse
Search vendor "Suse"
 Manager Proxy
Search vendor "Suse" for product "Manager Proxy"
 4.1
Search vendor "Suse" for product "Manager Proxy" and version "4.1"
-
Affected
Suse
Search vendor "Suse"
 Manager Server
Search vendor "Suse" for product "Manager Server"
 4.1
Search vendor "Suse" for product "Manager Server" and version "4.1"
-
Affected
Suse
Search vendor "Suse"
 Linux Enterprise Desktop
Search vendor "Suse" for product "Linux Enterprise Desktop"
 15
Search vendor "Suse" for product "Linux Enterprise Desktop" and version "15"
sp2
Affected
Suse
Search vendor "Suse"
 Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
 15
Search vendor "Suse" for product "Linux Enterprise Server" and version "15"
sp2
Affected
Suse
Search vendor "Suse"
 Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
 15
Search vendor "Suse" for product "Linux Enterprise Server" and version "15"
sp2, sap
Affected
Suse
Search vendor "Suse"
 Linux Enterprise Workstation Extension
Search vendor "Suse" for product "Linux Enterprise Workstation Extension"
 12
Search vendor "Suse" for product "Linux Enterprise Workstation Extension" and version "12"
sp5
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.3.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.4.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
 8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected
Siemens
Search vendor "Siemens"
 Sinumerik Edge
Search vendor "Siemens" for product "Sinumerik Edge"
 < 3.3.0
Search vendor "Siemens" for product "Sinumerik Edge" and version " < 3.3.0"
-
Affected
Starwindsoftware
Search vendor "Starwindsoftware"
 Command Center
Search vendor "Starwindsoftware" for product "Command Center"
 1.0
Search vendor "Starwindsoftware" for product "Command Center" and version "1.0"
update3_build5871
Affected
Starwindsoftware
Search vendor "Starwindsoftware"
 Starwind Hyperconverged Appliance
Search vendor "Starwindsoftware" for product "Starwind Hyperconverged Appliance"
--
Affected
Starwindsoftware
Search vendor "Starwindsoftware"
 Starwind Virtual San
Search vendor "Starwindsoftware" for product "Starwind Virtual San"
 v8
Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"
build14338
Affected