Update of our platform against the Pwnkit Linux vulnerability
Since January 31st, all Linux images in the Clouding control panel have been updated against the recently detected Linux Pwnkit vulnerability. Therefore, this vulnerability does not affect users who choose these distros to create their cloud servers in Clouding.
Last week, Qualys researchers discovered a Linux vulnerability that affects most of its distros. The vulnerability has been registered as CVE-2021-4034 and has been named Pwnkit. It allows a user without permissions to have root access in a foreign host. It consists of a corruption bug in Polkit, a component that controls all system privileges of most Linux distros. This component incorporates pkexec, an element that gives permissions to a user who doesn’t have it to execute commands as if it were another user and with maximum privileges.
According to the researchers, this is a bug that originated more than twelve years ago and appears to come from the initial commit of pxekec. Therefore, all versions of Polkit are affected.
In order for this vulnerability not to affect our users, at Clouding we’ve now applied the patches recommended by the Polkit authors to all the preinstalled Linux images in our control panel.
If you already had a server created, our recommendation is that you update all the packages to solve this vulnerability. In the case of web/DB/email servers, it’s very difficult to exploit this vulnerability, since it requires SSH access or access to the server as a user. If your operating system is EOL, close to end of life, a solution is to only allow pkexec to the root user, for example to apply chmod 0755 /usr/bin/pkexec.
If you have any questions about this issue, our Support team will be able to answer them and help you with whatever you need. E-mail us at [email protected] or call us, we’ll be happy to assist you.
Leave a Reply