===================================================================== CERT-Renater Note d'Information No. 2021/VULN045 _____________________________________________________________________ DATE : 27/01/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Ubuntu running policykit-1. ===================================================================== https://ubuntu.com/security/notices/USN-5252-1 https://ubuntu.com/security/notices/USN-5252-2 _____________________________________________________________________ USN-5252-1: PolicyKit vulnerability 25 January 2022 policykit-1 could be made to run programs as an administrator. Releases o Ubuntu 21.10 o Ubuntu 20.04 LTS o Ubuntu 18.04 LTS Packages o policykit-1 - framework for managing administrative policies and privileges Details It was discovered that the PolicyKit pkexec tool incorrectly handled command-line arguments. A local attacker could use this issue to escalate privileges to an administrator. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10 o policykit-1 - 0.105-31ubuntu0.1 Ubuntu 20.04 o policykit-1 - 0.105-26ubuntu1.2 Ubuntu 18.04 o policykit-1 - 0.105-20ubuntu0.18.04.6 After a standard system update you need to reboot your computer to make all the necessary changes. References o CVE-2021-4034 Related notices o USN-5252-2 : policykit-1-doc, gir1.2-polkit-1.0, libpolkit-backend-1-dev, libpolkit-gobject-1-dev, libpolkit-gobject-1-0, libpolkit-agent-1-0, libpolkit-agent-1-dev, libpolkit-backend-1-0, policykit-1 _____________________________________________________________________ USN-5252-2: PolicyKit vulnerability 25 January 2022 policykit-1 could be made to run programs as an administrator. Releases o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o policykit-1 - framework for managing administrative policies and privileges Details USN-5252-1 fixed a vulnerability in policykit-1. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: It was discovered that the PolicyKit pkexec tool incorrectly handled command-line arguments. A local attacker could use this issue to escalate privileges to an administrator. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 o policykit-1 - 0.105-14.1ubuntu0.5+esm1 Available with UA Infra or UA Desktop Ubuntu 14.04 o policykit-1 - 0.105-4ubuntu3.14.04.6+esm1 Available with UA Infra or UA Desktop After a standard system update you need to reboot your computer to make all the necessary changes. References o CVE-2021-4034 Related notices o USN-5252-1 : libpolkit-agent-1-0, gir1.2-polkit-1.0, libpolkit-backend-1-0, libpolkit-gobject-1-0, libpolkit-backend-1-dev, libpolkit-gobject-1-dev, policykit-1-doc, policykit-1, libpolkit-agent-1-dev ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================