SCA-2022-0002
Vulnerability from csaf_sick
Published
2022-02-23 16:00
Modified
2022-02-23 16:00
Summary
PwnKit vulnerability affects multiple SICK IPCs
Notes
CVE-2021-4034 is a Local Privilege Escalation (LPE) vulnerability, located in the "Polkit" package
installed by default on almost every major distribution of the Linux operating system.
On 2022-01-25, Qualys released an advisory for this LPE vulnerability, advising to either update the “Polkit” package or implement the mitigation that Qualys recommends.
In an air-gapped system SICK recommends all customers to implement at least the available mitigation for the corresponding Linux distribution. Please note, that this vulnerability can be exploited only if an user with unprivileged authorization can establish a connection to the systems.
General Security Measures
As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification
SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "en-US", notes: [ { audience: "all", category: "summary", text: "CVE-2021-4034 is a Local Privilege Escalation (LPE) vulnerability, located in the \"Polkit\" package \ninstalled by default on almost every major distribution of the Linux operating system.\n\nOn 2022-01-25, Qualys released an advisory for this LPE vulnerability, advising to either update the “Polkit” package or implement the mitigation that Qualys recommends.\n\nIn an air-gapped system SICK recommends all customers to implement at least the available mitigation for the corresponding Linux distribution. Please note, that this vulnerability can be exploited only if an user with unprivileged authorization can establish a connection to the systems. ", }, { category: "general", text: "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.", title: "General Security Measures", }, { category: "general", text: "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.", title: "Vulnerability Classification", }, ], publisher: { category: "vendor", contact_details: "psirt@sick.de", issuing_authority: "SICK PSIRT is responsible for any vulnerabilities related to SICK products.", name: "SICK PSIRT", namespace: "https://sick.com/psirt", }, references: [ { summary: "SICK PSIRT Security Advisories", url: "https://sick.com/psirt", }, { summary: "SICK Operating Guidelines", url: "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF", }, { summary: "ICS-CERT recommended practices on Industrial Security", url: "http://ics-cert.us-cert.gov/content/recommended-practices", }, { summary: "CVSS v3.1 Calculator", url: "https://www.first.org/cvss/calculator/3.1", }, { category: "self", summary: "The canonical URL.", url: "https://www.sick.com/.well-known/csaf/white/2022/sca-2022-0002.json", }, ], title: "PwnKit vulnerability affects multiple SICK IPCs", tracking: { current_release_date: "2022-02-23T16:00:00.000Z", generator: { date: "2023-02-10T09:01:25.481Z", engine: { name: "Secvisogram", version: "2.0.0", }, }, id: "SCA-2022-0002", initial_release_date: "2022-02-23T16:00:00.000Z", revision_history: [ { date: "2022-02-23T16:00:00.000Z", number: "1", summary: "Initial release", }, { date: "2023-02-10T11:00:00.000Z", number: "2", summary: "Updated Advisory (only visual changes)", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE5401, M16G, 1TB, LINUX, CUSTOM all versions", product_id: "CSAFPID-0001", product_identification_helper: { skus: [ "1111424", ], }, }, }, ], category: "product_name", name: "PC, MXE5401, M16G, 1TB, LINUX, CUSTOM", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE5401, M16G, 2TB, C7 all versions", product_id: "CSAFPID-0002", product_identification_helper: { skus: [ "1099249", ], }, }, }, ], category: "product_name", name: "PC, MXE5401, M16G, 2TB, C7", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE5401, M16G, 1TB, C7 all versions", product_id: "CSAFPID-0003", product_identification_helper: { skus: [ "1099248", ], }, }, }, ], category: "product_name", name: "PC, MXE5401, M16G, 1TB, C7", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, EOS1300, M16G, 1TB, C7 all versions", product_id: "CSAFPID-0004", product_identification_helper: { skus: [ "1092516", ], }, }, }, ], category: "product_name", name: "PC, EOS1300, M16G, 1TB, C7", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, EOS1300, M16G, 2TB, C7 all versions", product_id: "CSAFPID-0005", product_identification_helper: { skus: [ "1092517", ], }, }, }, ], category: "product_name", name: "PC, EOS1300, M16G, 2TB, C7", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401, SSCT, R0, 2TB all versions", product_id: "CSAFPID-0006", product_identification_helper: { skus: [ "2084896", "2098056", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401, SSCT, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401,R0,2TB,SS-X all versions", product_id: "CSAFPID-0007", product_identification_helper: { skus: [ "2095232", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401,R0,2TB,SS-X", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401,R0,2TB,UDS-X all versions", product_id: "CSAFPID-0008", product_identification_helper: { skus: [ "2104564", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401,R0,2TB,UDS-X", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5321, SSXT, R0, 2TB all versions", product_id: "CSAFPID-0009", product_identification_helper: { skus: [ "2084076", ], }, }, }, ], category: "product_name", name: "PC, MXE-5321, SSXT, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5321, SSAT, R0, 2TB all versions", product_id: "CSAFPID-0010", product_identification_helper: { skus: [ "2084077", ], }, }, }, ], category: "product_name", name: "PC, MXE-5321, SSAT, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5321, UDS, R0, 2TB all versions", product_id: "CSAFPID-0011", product_identification_helper: { skus: [ "2084078", ], }, }, }, ], category: "product_name", name: "PC, MXE-5321, UDS, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401, SSAT, R0, 2TB all versions", product_id: "CSAFPID-0012", product_identification_helper: { skus: [ "2084897", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401, SSAT, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401, UDS, R0, 2TB all versions", product_id: "CSAFPID-0013", product_identification_helper: { skus: [ "2084898", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401, UDS, R0, 2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, MXE-5401, SP, R0,2TB all versions", product_id: "CSAFPID-0014", product_identification_helper: { skus: [ "2099100", ], }, }, }, ], category: "product_name", name: "PC, MXE-5401, SP, R0,2TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC-MXE 5401, CUSTOM, C6, 1TB all versions", product_id: "CSAFPID-0015", product_identification_helper: { skus: [ "2056761", ], }, }, }, ], category: "product_name", name: "PC-MXE 5401, CUSTOM, C6, 1TB", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK ERGO,DISP,KIT,C6X,CUSTOM all versions", product_id: "CSAFPID-0016", product_identification_helper: { skus: [ "2087772", ], }, }, }, ], category: "product_name", name: "ERGO,DISP,KIT,C6X,CUSTOM", }, { branches: [ { category: "product_version_range", name: "vers:all/*", product: { name: "SICK PC, K700-SE-MS4X, M16G, 1TB all versions", product_id: "CSAFPID-0017", product_identification_helper: { skus: [ "1122338", ], }, }, }, ], category: "product_name", name: "PC, K700-SE-MS4X, M16G, 1TB", }, ], category: "vendor", name: "SICK AG", }, ], full_product_names: [ { name: "CentOS", product_id: "CSAFPID-0018", }, { name: "RedHat", product_id: "CSAFPID-0019", }, { name: "Ubuntu", product_id: "CSAFPID-0020", }, ], relationships: [ { category: "installed_on", full_product_name: { name: "SICK PC, MXE5401, M16G, 1TB, LINUX, CUSTOM all versions (CentOS)", product_id: "CSAFPID-0021", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0001", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE5401, M16G, 2TB, C7 all versions (CentOS)", product_id: "CSAFPID-0022", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0002", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE5401, M16G, 1TB, C7 all versions (CentOS)", product_id: "CSAFPID-0023", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0003", }, { category: "installed_on", full_product_name: { name: "SICK PC, EOS1300, M16G, 1TB, C7 all versions (CentOS)", product_id: "CSAFPID-0024", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0004", }, { category: "installed_on", full_product_name: { name: "SICK PC, EOS1300, M16G, 2TB, C7 all versions (CentOS)", product_id: "CSAFPID-0025", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0005", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401,R0,2TB,SS-X all versions (RedHat)", product_id: "CSAFPID-0026", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0006", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401,R0,2TB,UDS-X all versions (RedHat)", product_id: "CSAFPID-0027", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0007", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5321, SSXT, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0028", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0008", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5321, SSAT, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0029", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0009", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5321, UDS, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0030", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0010", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401, SSAT, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0031", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0011", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401, UDS, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0032", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0012", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401, SSCT, R0, 2TB all versions (RedHat)", product_id: "CSAFPID-0033", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0013", }, { category: "installed_on", full_product_name: { name: "SICK PC, MXE-5401, SP, R0,2TB all versions (RedHat)", product_id: "CSAFPID-0034", }, product_reference: "CSAFPID-0019", relates_to_product_reference: "CSAFPID-0014", }, { category: "installed_on", full_product_name: { name: "SICK PC-MXE 5401, CUSTOM, C6, 1TB all versions (CentOS)", product_id: "CSAFPID-0035", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0015", }, { category: "installed_on", full_product_name: { name: "SICK ERGO,DISP,KIT,C6X,CUSTOM all versions (CentOS)", product_id: "CSAFPID-0036", }, product_reference: "CSAFPID-0018", relates_to_product_reference: "CSAFPID-0016", }, { category: "installed_on", full_product_name: { name: "SICK PC, K700-SE-MS4X, M16G, 1TB all versions (Ubuntu)", product_id: "CSAFPID-0037", }, product_reference: "CSAFPID-0020", relates_to_product_reference: "CSAFPID-0017", }, ], }, vulnerabilities: [ { cve: "CVE-2021-4034", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-01-31T16:00:00.000Z", notes: [ { category: "description", text: "The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to \nexecute environment variables as commands. An attacker can leverage this by crafting environment \nvariables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the \nattack can cause a local privilege escalation given unprivileged users administrative rights on the \ntarget machine.", }, ], product_status: { fixed: [ "CSAFPID-0021", "CSAFPID-0022", "CSAFPID-0023", "CSAFPID-0024", "CSAFPID-0025", "CSAFPID-0026", "CSAFPID-0027", "CSAFPID-0028", "CSAFPID-0029", "CSAFPID-0030", "CSAFPID-0031", "CSAFPID-0032", "CSAFPID-0033", "CSAFPID-0034", "CSAFPID-0035", "CSAFPID-0036", "CSAFPID-0037", ], }, references: [ { summary: "Qualys Advisory", url: "https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt", }, ], remediations: [ { category: "vendor_fix", date: "2022-02-23T16:00:00.000Z", details: "Update to newest version", product_ids: [ "CSAFPID-0021", "CSAFPID-0022", "CSAFPID-0023", "CSAFPID-0024", "CSAFPID-0025", "CSAFPID-0026", "CSAFPID-0027", "CSAFPID-0028", "CSAFPID-0029", "CSAFPID-0030", "CSAFPID-0031", "CSAFPID-0032", "CSAFPID-0033", "CSAFPID-0034", "CSAFPID-0035", "CSAFPID-0036", "CSAFPID-0037", ], }, { category: "mitigation", details: "- In case your SICK IPC for Analytics has been set up normally, without a “kiosk” mode:\n\n - Log in as the \\<root\\> user (credentials will be supplied separately).\n\n - Start the \\<terminal\\> app.\n\n - At the command prompt, enter the following command: \\<chmod 0755 /usr/bin/pkexec\\>\n\n - Log out from \\<root\\>\n\n- In case your SICK IPC for Analytics has been set up in “kiosk” mode:\n\n Note: In this below example, the OS is assumed to be CentOS 6.8 running a Gnome 2.28.2 GUI with SICK Package Analytics pre-installed and running on Kiosk mode.\n\n - These instructions start from the default kiosk-mode display of Package analytics.\n \n - Press \\<CTRL+F4\\> on the keyboard. This will bring up the desktop for the \\<guest\\> user.\n\n - Select the green “running man” icon in the upper right.\n\n - Select \\<Log Out\\> in the dialog box.\n\n - In the ensuing dialog, press \\<Cancel\\>. It’s on a timer, so this step has to be done quickly.\n\n - This brings up a display that allows the user to log in to other accounts. Select \\<other\\>.\n\n - Enter \\<root\\> as the username.\n\n - Enter the root password. Note this will be provided in a separate email.\n\n - This brings up the root desktop. Click on the black terminal icon at the top of the display to bring up the command line prompt.\n\n - At the command line, enter the following command: \\<chmod 0755 /usr/bin/pkexec\\>\n\n - Click on the \\<x\\> in the upper right to close the terminal window.\n\n - As before click on the “running man” icon at the top of the display to bring up the logout screen.\n \n - Select \\<Log Out\\> in the ensuing dialogue.\n\nThis completes the process. The system will automatically back in as the guest kiosk user.", product_ids: [ "CSAFPID-0021", "CSAFPID-0022", "CSAFPID-0023", "CSAFPID-0024", "CSAFPID-0025", "CSAFPID-0026", "CSAFPID-0027", "CSAFPID-0028", "CSAFPID-0029", "CSAFPID-0030", "CSAFPID-0031", "CSAFPID-0032", "CSAFPID-0033", "CSAFPID-0034", "CSAFPID-0035", "CSAFPID-0036", "CSAFPID-0037", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#mitigation", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-0021", "CSAFPID-0022", "CSAFPID-0023", "CSAFPID-0024", "CSAFPID-0025", "CSAFPID-0026", "CSAFPID-0027", "CSAFPID-0028", "CSAFPID-0029", "CSAFPID-0030", "CSAFPID-0031", "CSAFPID-0032", "CSAFPID-0033", "CSAFPID-0034", "CSAFPID-0035", "CSAFPID-0036", "CSAFPID-0037", ], }, ], title: "CVE-2021-4034 Out-of-bounds Write", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.