Main Vulnerability Database SB2024080680

SB2024080680 - Amazon Linux AMI update for polkit

Published: August 6, 2024

Security Bulletin ID SB2024080680

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-4034)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper handling of the calling parameters count in the pkexec setuid binary, which causes the binary to execute environment variables as commands. A local user can craft environment variables in a way that they will be processed and executed by pkexec and execute arbitrary commands on the system as root.

2) Resource exhaustion (CVE-ID: CVE-2021-4115)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to process file descriptor exhaustion in polkit. A local user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/AL2023/ALAS-2023-026.html