search

balena-os / pi-gen

Tool used to create the raspberrypi.org Raspbian images
BSD 3-Clause "New" or "Revised" License
7 stars 6 forks source link

Fin CM3 Raspbian v0.1.0 is affected by CVE-2021-4034 (PwnKit) #21

Open pdcastro opened 2 years ago

pdcastro commented 2 years ago

The Fin CM3 Raspbian v0.1.0 image available for download at https://www.balena.io/fin/1.1/docs/downloads/ is affected by vulnerability CVE-2021-4034 (PwnKit) - https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

@fisehara kindly ran some tests to confirm it:

  1. Flashed image
  2. Tested which pkexec exists
  3. Test with https://github.com/berdav/CVE-2021-4034.git can access root level
  4. sudo apt update && sudo apt upgrade
  5. Test again: can access root level
  6. Explicitly installing: sudo apt install policykit-1
  7. Test again: Root access is not possible anymore

Fix / Workaround:

  1. sudo apt update && sudo apt upgrade
  2. sudo apt install policykit-1

We should produce a new image version that is not affected (that includes the upgraded packages) to replace v0.1.0.

jellyfish-bot commented 2 years ago

[pdcastro] This issue has attached support thread https://jel.ly.fish/413df998-060f-4eee-9de1-75667c140ac1