Mitigate CVE-2021-4034 on RHEL with Ansible Playbook

HUse Ansible to mitigate CVE-2021-4034 on RHEL systems. Automate the installation of SystemTap, debugging packages, and deploy mitigation scripts.

Mitigate CVE-2021-4034 on RHEL with Ansible Playbook

January 27, 2022
Posted by Luca Berton
ansible, polkit, PWNKIT, module, linux, security, devsecops, RHEL, CentOS, Fedora, Ubuntu, Debian, SUSE

What is Polkit Privilege Escalation - (CVE-2021–4034)?

“A memory corruption vulnerability in Polkit’s pkexec, witch allows any unprivileged user to gain full root privilege on a vulnerable system using default polkit configuration” cit. Bharat Jogi, qualys.com

Links

Join 50+ hours of courses in our exclusive community

Playbook

How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.

code

Code downloaded from Red Hat RHSB-2022-001 Ansible Playbook 1.0 .

execution

ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml
PLAY [Block pkexec with empty first argument with systemtap] **************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [Install systemtap packages] *****************************************************************
changed: [demo.example.com]
TASK [(RHEL 7) Install kernel debuginfo] **********************************************************
skipping: [demo.example.com]
TASK [(RHEL 6/8) Install polkit debuginfo] ********************************************************
changed: [demo.example.com]
TASK [(RHEL 6) Install libselinux-python] *********************************************************
skipping: [demo.example.com]
TASK [Create systemtap script] ********************************************************************
changed: [demo.example.com]
TASK [Checking if stap_pkexec_block module is already loaded] *************************************
ok: [demo.example.com]
TASK [Install systemtap script] *******************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=6    changed=4    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0
ansible-pilot $

before execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102
[devops@demo ~]$ sudo su
[root@demo devops]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
[root@demo devops]# lsmod | grep stap_pkexec_block
[root@demo devops]# exit
exit
[devops@demo ~]$

after execution

ansible-pilot $ ssh [email protected]
Last login: Thu Jan 27 21:34:11 2022 from 192.168.0.102
[devops@demo ~]$ sudo su
[root@demo devops]# lsmod | grep stap_pkexec_block
stap_pkexec_block     434176  0
[root@demo devops]# ls -al /root/
total 32
dr-xr-x---.  4 root root 210 Jan 27 21:35 .
dr-xr-xr-x. 17 root root 224 Dec  3 15:29 ..
-rw-------.  1 root root 789 Jan 27 21:30 .bash_history
-rw-r--r--.  1 root root  18 Aug 12  2018 .bash_logout
-rw-r--r--.  1 root root 176 Aug 12  2018 .bash_profile
-rw-r--r--.  1 root root 176 Aug 12  2018 .bashrc
-rw-r--r--.  1 root root 100 Aug 12  2018 .cshrc
drwx------.  2 root root  44 Jan 24 16:09 .gnupg
drwxr-xr-x.  3 root root  19 Jan 27 21:34 .systemtap
-rw-r--r--.  1 root root 129 Aug 12  2018 .tcshrc
-rw-------.  1 root root 923 Jan 24 17:37 .viminfo
-rw-r--r--.  1 root root   0 Jan 27 21:35 pkexec-block.log.0
-rw-------.  1 root root  97 Jan 27 21:34 pkexec-block.stp
[root@demo devops]# ls -al /root/pkexec-block.*
-rw-r--r--. 1 root root  0 Jan 27 21:35 /root/pkexec-block.log.0
-rw-------. 1 root root 97 Jan 27 21:34 /root/pkexec-block.stp
[root@demo devops]#

Conclusion

Now you know how to mitigate the Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza