Updated 7 February 2022 (IGEL OS 11.06.250 released)

First published 27 January 2022

CVSS 3.1 Base Score: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A vulnerability has been found in Polkit, a software component that allows users to execute programs as another user - often as root, - after providing a password. This affects the following IGEL products:

  • IGEL OS 11
  • IGEL OS 10

Details

Polkit (formerly known as PolicyKit) has a privilege escalation vulnerability that allows an attacker with regular user privileges to become root without a password. This vulnerability (CVE-2021-4034), nicknamed PwnKit, has been rated as high. A working proof-of-concept exploit is available on the Internet.

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.06.250.
  • IGEL OS 10: Upgrade to IGEL OS 11.06.250.

Mitigation

This issue can be mitigated by not giving users access to a terminal/virtual console on IGEL OS, which they could use to configure and run the exploit code:

Remove an existing local terminal session:

  1. In IGEL Setup, go to Accessories > Terminals.
  2. Select a local terminal session you want to delete.
  3. Click the trash icon to remove the selected session.
  4. When prompted, confirm that you want to delete the session.
  5. Click Apply.

Or password-protect the local terminal with the Administrator password:

  1. Find the local terminal session under Accessories > Terminals.
  2. Follow the instructions under Password-Protecting Sessions and Accessories.

Disable virtual console access:

  1. In IGEL Setup, go to User Interface > Display > Access Control.
  2. Activate Disable console switching (Default: Console switching enabled)
  3. Click Apply.

References