PwnKit - CVE-2021-4034

I guess people have heard about this exploit (details at PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog) by now

When I saw the headline, got a bit worried for a second about all those Volumio devices out there…

But then my fears were short lived when I recalled we give root with default password anyway, so no exploit needed for root access on Volumio 🥲

Jokes aside, you’ll need to pull in buster-security sources to get the fix.

Haha, yes exactly that publicly known volumio-user is the reason I added MFA (Cisco DUO) to it :smile:

However, it probably can’t stop this… Just out of curiosity I tried if I could exploit this, and yes, vulnerable.

volumio@volumiotest:~/cve$ whoami
volumio@volumiotest:~/cve$ make
cc -Wall --shared -fPIC -o pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /bin/true GCONV_PATH=./
volumio@volumiotest:~/cve$ ./cve-2021-4034
# whoami

Also, the proposed workaround seems to be working (not sure what will break).

volumio@volumiotest:~/cve$ ls -alh /usr/bin/pkexec
-rwsr-xr-x 1 root root 18K Dec 15  2020 /usr/bin/pkexec
volumio@volumiotest:~/cve$ sudo chmod 0755 /usr/bin/pkexec
volumio@volumiotest:~/cve$ ./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root

Is the workaround something we can implement in our build script? If yes, would you mind sending a PR?

If someone got shell access to your Volumio device via the internet, well you Volumio have much bigger issues :sweat_smile:

This exploit is more potent for privilege escalation on shared servers etc – anyone with access to the volumio user pretty much can do as they please.

Not required, debian-security has already provided updates with patches to policykit-1

Are these patches automatically added to each build?

And just thinking out loud, what happens when you upgrade Volumio? Will that also update kernel stuff? :thinking:

the last update did… update kernel to support rev:1.5…

Well that’s good news, right?

Then we probably need to pay more attention to release notes; they should include security patches :upside_down_face:

not to much concerned, for the Volumio rPi’s as none are accessible from outside my LAN. However I do need to patch my Domoticz pi, now I write this down…

1 Like

Also as mentioned earlier, most people probably stick with the built-in (volumio) account, being super permissive as it is. Towards the future it might be a good idea to verify if these permissions are all necessary or not (roadmap item). Because the system might contain credentials you don’t want to leak (shares, accounts etc).

So the patch is still a good idea, especially when you want to strip the built-in user from permissions it doesn’t need and/or have setup other users. Good cyber hygiene is never a bad thing, especially if the fix is as easy as installing patches.

As for the urgency, I guess the system is pretty open as it is, so it’s not super urgent. Other systems, like the ones you would find in your DMZ might be more interesting to patch. :wink:

FWIW v3.207 contains the fixed package.