Updated 7 February 2022 (IGEL OS 11.06.250 released)
First published 27 January 2022
CVSS 3.1 Base Score: 7.8 (High)
A vulnerability has been found in Polkit, a software component that allows users to execute programs as another user - often as root, - after providing a password. This affects the following IGEL products:
- IGEL OS 11
- IGEL OS 10
Polkit (formerly known as PolicyKit) has a privilege escalation vulnerability that allows an attacker with regular user privileges to become root without a password. This vulnerability (CVE-2021-4034), nicknamed PwnKit, has been rated as high. A working proof-of-concept exploit is available on the Internet.
- IGEL OS 11: Update to IGEL OS 11.06.250.
- IGEL OS 10: Upgrade to IGEL OS 11.06.250.
This issue can be mitigated by not giving users access to a terminal/virtual console on IGEL OS, which they could use to configure and run the exploit code:
Remove an existing local terminal session:
- In IGEL Setup, go to Accessories > Terminals.
- Select a local terminal session you want to delete.
- Click the trash icon to remove the selected session.
- When prompted, confirm that you want to delete the session.
- Click Apply.
Or password-protect the local terminal with the Administrator password:
- Find the local terminal session under Accessories > Terminals.
- Follow the instructions under Password-Protecting Sessions and Accessories.
Disable virtual console access:
- In IGEL Setup, go to User Interface > Display > Access Control.
- Activate Disable console switching (Default: Console switching enabled)
- Click Apply.
- CVE-2021-4034: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
- Qualys Security Advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt