January 2022 – Macronet

Mitigating CVE-2021-4034 (policykit pkexec) vulnerability on CentOS 6

Kernel and drivers, Legacy, Linux Comments Off

Jan 272022

CentOS 6 has been end of life since 30.11.2020 – do not use it.

Well, you’re still reading this, so you are using it.

Really really quick mitigation: remove SUID-bit from pkexec: chmod ug-s /usr/bin/pkexec

RedHat provides updates and mitigation steps for RHEL6 (extended support), RHEL7 and RHEL8 on their customer portal – https://access.redhat.com/security/cve/CVE-2021-4034

Based on their excellent documentation it is easy to build a mitigation for CentOS 6 also.

Make sure you can still install packages (f.ex use CentOS Vault)

Install systemtap & kernel-devel -packages

Download and install polkit-debuginfo-0.96-11.el6_10.1.x86_64.rpm (or equivalent correct version) from CentOS debuginfo-mirror (f.ex http://mirror.facebook.net/centos-debuginfo/6/x86_64/)

Create pkexec_block.stp with the following content

    probe process("/usr/bin/pkexec").function("main") {
        if (cmdline arg(1) == "")
                        raise(9);
}

Compile and install module:

stap -g -F -m stap_pkexec_block pkexec_block.stp

Verify with lsmod that stap_pkexec_block -kernel module is loaded.

Make sure that module is loaded also after a reboot (copy to right place, run depmod -a & verify).

Mitigating log4j vulnerabilities on EOL UniFi(-video) services

Legacy, Linux, Software Comments Off

Jan 102022

Official fixes for UniFi Network Application came in 6.5.54 (CVE-2021-44228) & 6.5.55 (CVE-2021-45046).
UniFi Video is EOL and will not receive updates.

If there is an older version used for some reason, it’s up to the server administrator to update required jar-files.

This is tested with unifi-video 3.10.13 & unifi 5.14.23-13880-1, running on Debian 11.

unifi (5.14.23-13880-1)

Download log4j v2.12.4 (last version supporting Java 7) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.12.4.jar -> /usr/lib/unifi/lib/log4j-api-2.12.1.jar
log4j-core-2.12.4.jar -> /usr/lib/unifi/lib/log4j-core-2.12.1.jar
log4j-slf4j-impl-2.12.4.jar -> /usr/lib/unifi/lib/log4j-slf4j-impl-2.12.1.jar

Restart unifi -service.

unifi-video (3.10.13)

Download log4j v2.3.2 (last version supporting Java 6) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.3.2/apache-log4j-2.3.2-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-api-2.1.jar
log4j-core-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-core-2.1.jar
log4j-slf4j-impl-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-slf4j-impl-2.1.jar

Restart unifi-video -service.