PolicyKit security hole

A security problem was recently announced that affects the linux distributions that we support. This is being called "PwnKit" (a.k.a. CVE-2021-4034). Most distributions have provided updates, so now is a good time to check and load outstanding OS security updates for your VPS, using apt for Debian and Ubuntu and yum for CentOS 7 and Rocky.

Currently it looks like there isn't an official update for CentOS 8, so if you have that distro installed we recommend you use the workaround for older distros (below) or convert your install to Rocky or Alma Linux.

PwnKit is a local privilege escalation, meaning you are vulnerable if you have people logging in through ssh or a compromised website or other software. In conjunction with other vulnerabilities it could be used to allow your server to be exploited. Hence we're recommending everyone run updates on their VPSs.

Workaround for older distros

If you have an older distro (e.g. Debian 8, Ubuntu 16.04, CentOS 6 or earlier) there may not be updated packages available. You can remove the setuid bit from pkexec to work around the problem, using the following command:

chmod 0755 /usr/bin/pkexec

Be aware that this also takes away the ability for pkexec to do what it was designed to do, so some things may no longer work if you do this.

Getting assistance with the issue

If you'd like us to check if your server is vulnerable to PwnKit (and to load the security update where available), put in a ticket. In many cases we can do this without charge. It's also a good idea to check what distro your VPS is running and update to a later release if it's an older one. See upgrading debian based distros for information on how to do that using distrorejuve, which makes upgrading easier. We are also happy to assist with upgrading, just put in a ticket (a charge may apply.)

More Info

Some further information about the problem is listed in this news article. There is an in-depth technical explanation in the original announcement. Updates are available for many of the distros we support. Note our base images for Debian and Rocky do not include policykit, however if you have installed a control panel (e.g. virtualmin) or certain other software it will have been loaded and you will be vulnerable anyway.

DistroInstalled by default?Further information
Debiannohttps://security-tracker.debian.org/tracker/CVE-2021-4034
Ubuntuyeshttps://ubuntu.com/security/notices/USN-5252-1
CentOSyeshttps://lists.centos.org/pipermail/centos-announce/2022-January/073552.html (CentOS 7)
Unknown (CentOS 8) (Note - CentOS 8 no longer receives security updates)
RockynoFixed in version polkit-0.115-13.el8_5.1.x86_64.rpm

Leave a comment