Jan 272022
CentOS 6 has been end of life since 30.11.2020 – do not use it.
Well, you’re still reading this, so you are using it.
Really really quick mitigation: remove SUID-bit from pkexec: chmod ug-s /usr/bin/pkexec
RedHat provides updates and mitigation steps for RHEL6 (extended support), RHEL7 and RHEL8 on their customer portal – https://access.redhat.com/security/cve/CVE-2021-4034
Based on their excellent documentation it is easy to build a mitigation for CentOS 6 also.
- Make sure you can still install packages (f.ex use CentOS Vault)
- Install systemtap & kernel-devel -packages
- Download and install polkit-debuginfo-0.96-11.el6_10.1.x86_64.rpm (or equivalent correct version) from CentOS debuginfo-mirror (f.ex http://mirror.facebook.net/centos-debuginfo/6/x86_64/)
- Create pkexec_block.stp with the following content
probe process("/usr/bin/pkexec").function("main") {
if (cmdline arg(1) == "")
raise(9);
}
- Compile and install module:
stap -g -F -m stap_pkexec_block pkexec_block.stp
- Verify with lsmod that stap_pkexec_block -kernel module is loaded.
- Make sure that module is loaded also after a reboot (copy to right place, run depmod -a & verify).
Sorry, the comment form is closed at this time.