Security vulnerability: CVE-2021-4034 local root exploit in polkit aka "pwnkit"
This document (000020564) is provided subject to the disclaimer at the end of this document.
This vulnerability affects all SLES 12 and SLES 15 service packs.
The vulnerability does not affect SLES 11, as it used a previous generation called PolicyKit.
Installing the updated packages provided by SUSE is sufficient to fix the problem. Please use
zypper lp -a --cve=CVE-2021-4034
to search for the specific patch information. A restart of the service is not required.
Please note that for any SPx (Service Pack level) which is no longer in general support, an LTSS or ESPOS subscription may be needed to obtain the update. Please see the SUSE "CVE Page" link in the "Additional Information" section below for more details about each SPx.
SUSE does not recommend removing the setuid bit as it will cause breakage on the system. Removing the setuid permission from the pkexec binary will prevent it from working properly for legitimate use cases. This means that any application which relies on pkexec execution will stop working, possibly causing unexpected system errors and behavior.
The workaround prevents exploitation and might be the right thing to do given how easy the exploit it, but customers must be aware that this will break functionality until the update is installed.
It is also possible to remove the setuid bit from /usr/bin/pkexec with
chmod 755 /usr/bin/pkexec
or even delete /usr/bin/pkexec until fixed packages can be installed.
- Document ID:000020564
- Creation Date: 07-Feb-2022
- Modified Date:07-Feb-2022
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Real Time
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Linux Enterprise Micro
- SUSE Manager Proxy
- SUSE Linux Enterprise HPC
For questions or concerns with the SUSE Knowledgebase please contact: firstname.lastname@example.org