Jan 272022
 

CentOS 6 has been end of life since 30.11.2020 – do not use it.

Well, you’re still reading this, so you are using it.

Really really quick mitigation: remove SUID-bit from pkexec: chmod ug-s /usr/bin/pkexec

RedHat provides updates and mitigation steps for RHEL6 (extended support), RHEL7 and RHEL8 on their customer portal – https://access.redhat.com/security/cve/CVE-2021-4034

Based on their excellent documentation it is easy to build a mitigation for CentOS 6 also.

  • Make sure you can still install packages (f.ex use CentOS Vault)
  • Install systemtap & kernel-devel -packages
  • Create pkexec_block.stp with the following content
    probe process("/usr/bin/pkexec").function("main") {
        if (cmdline arg(1) == "")
                        raise(9);
}
  • Compile and install module:
stap -g -F -m stap_pkexec_block pkexec_block.stp
  • Verify with lsmod that stap_pkexec_block -kernel module is loaded.
  • Make sure that module is loaded also after a reboot (copy to right place, run depmod -a & verify).

Sorry, the comment form is closed at this time.