SFTP Gateway Support

3.0

Pwnkit CVE

Overview

There is a local privilege escalation vulnerability called "PwnKit" (CVE-2021-4034), where non-privileged Linux users can gain root access through polkit on Linux.

There is a yum update available for polkit to address this issue. We recommend that you patch your OS to mitigate your risk.

Background on Pwnkit

CVE-2021-4034 made its appearance in late 2021 to early 2022. It affects most Linux systems. A non-privileged Linux user can gain root access by taking advantage of Policy Kit (Polkit) which is commonly found on most Linux distributions.

See this article for more details: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Mitigation

SFTP Gateway 2.x on Azure uses CentOS 8 for the OS. To determine your current version of polkit, run this command:

yum list installed polkit

You will see the following output:

polkit.x86_64     0.112-26.el7     @base

You can run yum update -y. Or, you can update polkit specifically:

yum install polkit

When you check the version of polkit, you should see 9.1 in the version number:

polkit.x86_64     0.112-26.el7_9.1     @updates
PreviousNext