Mitigating CVE-2021-4034 (policykit pkexec) vulnerability on CentOS 6

 Kernel and drivers, Legacy, Linux  Comments Off on Mitigating CVE-2021-4034 (policykit pkexec) vulnerability on CentOS 6
Jan 272022
 

CentOS 6 has been end of life since 30.11.2020 – do not use it.

Well, you’re still reading this, so you are using it.

Really really quick mitigation: remove SUID-bit from pkexec: chmod ug-s /usr/bin/pkexec

RedHat provides updates and mitigation steps for RHEL6 (extended support), RHEL7 and RHEL8 on their customer portal – https://access.redhat.com/security/cve/CVE-2021-4034

Based on their excellent documentation it is easy to build a mitigation for CentOS 6 also.

  • Make sure you can still install packages (f.ex use CentOS Vault)
  • Install systemtap & kernel-devel -packages
  • Create pkexec_block.stp with the following content
    probe process("/usr/bin/pkexec").function("main") {
        if (cmdline arg(1) == "")
                        raise(9);
}
  • Compile and install module:
stap -g -F -m stap_pkexec_block pkexec_block.stp
  • Verify with lsmod that stap_pkexec_block -kernel module is loaded.
  • Make sure that module is loaded also after a reboot (copy to right place, run depmod -a & verify).

Mitigating log4j vulnerabilities on EOL UniFi(-video) services

 Legacy, Linux, Software  Comments Off on Mitigating log4j vulnerabilities on EOL UniFi(-video) services
Jan 102022
 

Official fixes for UniFi Network Application came in 6.5.54 (CVE-2021-44228) & 6.5.55 (CVE-2021-45046).
UniFi Video is EOL and will not receive updates.

If there is an older version used for some reason, it’s up to the server administrator to update required jar-files.

This is tested with unifi-video 3.10.13 & unifi 5.14.23-13880-1, running on Debian 11.

unifi (5.14.23-13880-1)

Download log4j v2.12.4 (last version supporting Java 7) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.12.4.jar -> /usr/lib/unifi/lib/log4j-api-2.12.1.jar
log4j-core-2.12.4.jar -> /usr/lib/unifi/lib/log4j-core-2.12.1.jar
log4j-slf4j-impl-2.12.4.jar -> /usr/lib/unifi/lib/log4j-slf4j-impl-2.12.1.jar

Restart unifi -service.

unifi-video (3.10.13)

Download log4j v2.3.2 (last version supporting Java 6) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.3.2/apache-log4j-2.3.2-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-api-2.1.jar
log4j-core-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-core-2.1.jar
log4j-slf4j-impl-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-slf4j-impl-2.1.jar

Restart unifi-video -service.

Jan 202013
 

Debian Squeeze was released 06.02.2011.
Please note that Wheezy is still in testing -stage.  Debian Wheezy was released 04.05.2013

Just some quick steps how to do the upgrade (on your own risk).

Update Squeeze

aptitude update
aptidude upgrade
  1. Copy /etc/apt/sources.list to /etc/apt/sources.list.d/debian-wheezy.list and replace squeeze with wheezy. Or copy them inside sources.list. Use whatever mirror which is closest to you.
    deb http://ftp.fi.debian.org/debian/ wheezy main contrib non-free
    deb http://ftp.fi.debian.org/debian/ wheezy-updates main contrib non-free
    deb http://security.debian.org/ wheezy/updates main contrib non-free
  2. Update repository
    aptitude update
  3. Upgrade critical parts first – it will complain about libept1 – just let it be removed.
    aptitude install dpkg apt aptitude
  4. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
  5.  IF YOU ARE STILL RUNNING UNDER XEN3.x:
    Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)

    aptitude purge grub-pc
    aptitude install grub-legacy
  6. Always check that /boot/grub/menu.lst or /boot/grub/grub.cfg exists and defaults to right kernel
  7. Reboot and hope for the best

 

<complete instructions>
https://www.debian.org/releases/stable/i386/release-notes/ch-upgrading.html
</complete instructions>

Jan 182012
 

One way to get IPv6 /64 bridged to your LAN:


brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ebtables -t broute -A BROUTING -p ! ipv6 -j DROP
ifconfig br0 up

 

Opened up: create software bridge from your WAN -interface to LAN -interface, but allow only IPv6 to fly over it. In my setup IPv4 is natted.

Dec 092011
 

Debian Squeeze was released 06.02.2011 and Lenny’s support will (probably) be is discontinued since 06.02.2012.

 

Problem: apt-get update && apt-get dist-upgrade broke everything, server did not boot anymore.

Troubleshooting: squeeze has grub2, which our Xen 3.x and pygrub didn’t understand

Solution: upgrading with following steps, use apt-get or aptitude, whichever you like.

  1. Update Lenny
    aptitude update
    aptidude upgrade
  2. Replace lenny with squeeze in /etc/apt/sources.list – or add necessary entries to another file under /etc/apt/sources.list.d/
    deb http://ftp.fi.debian.org/debian/ squeeze main contrib non-free
    deb http://ftp.fi.debian.org/debian/ squeeze-updates main contrib non-free
    deb http://security.debian.org/ squeeze/updates main contrib non-free
  3. Update repository
    aptitude update
  4. Upgrade critical parts first
    aptitude install dpkg apt aptitude
  5. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
  6. Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)
    aptitude purge grub-pc
    aptitude install grub-legacy
  7. Check that /boot/grub/menu.lst exists and defaults to right kernel
  8. Reboot and hope for the best

 

Also remember to use 2.6.39 -kernel from backports for live migration to work.
Update 01/2013: 2.6.32 -kernel usually works just fine, Lenny’s EOL date is 6.2.2012.