AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Mitigate CVE-2021-4034 on RHEL with Ansible Playbook

By Luca Berton · Published 2024-01-01 · Category: installation

HUse Ansible to mitigate CVE-2021-4034 on RHEL systems. Automate the installation of SystemTap, debugging packages, and deploy mitigation scripts.

Mitigate CVE-2021-4034 on RHEL with Ansible Playbook

What is Polkit Privilege Escalation - (CVE-2021–4034)?

• "A memory corruption vulnerability in Polkit's pkexec, witch allows any unprivileged user to gain full root privilege on a vulnerable system using default polkit configuration" cit. Bharat Jogi, qualys.com

{{< vimeo 669715589 >}}

See also: Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228)

Links

In deth analysis from Bharat Jogi, qualys.comRed Hat CVE-2021-4034Red Hat RHSB-2022-001 Ansible Playbook 1.0

## Playbook

How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.

code

Code downloaded from Red Hat RHSB-2022-001 Ansible Playbook 1.0 .

execution

ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml
PLAY [Block pkexec with empty first argument with systemtap] **************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [Install systemtap packages] *****************************************************************
changed: [demo.example.com]
TASK [(RHEL 7) Install kernel debuginfo] **********************************************************
skipping: [demo.example.com]
TASK [(RHEL 6/8) Install polkit debuginfo] ********************************************************
changed: [demo.example.com]
TASK [(RHEL 6) Install libselinux-python] *********************************************************
skipping: [demo.example.com]
TASK [Create systemtap script] ********************************************************************
changed: [demo.example.com]
TASK [Checking if stap_pkexec_block module is already loaded] *************************************
ok: [demo.example.com]
TASK [Install systemtap script] *******************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=6    changed=4    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0
ansible-pilot $

before execution

ansible-pilot $ ssh devops@demo.example.com
Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102
[devops@demo ~]$ sudo su
[root@demo devops]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
[root@demo devops]# lsmod | grep stap_pkexec_block
[root@demo devops]# exit
exit
[devops@demo ~]$

after execution

ansible-pilot $ ssh devops@demo.example.com
Last login: Thu Jan 27 21:34:11 2022 from 192.168.0.102
[devops@demo ~]$ sudo su
[root@demo devops]# lsmod | grep stap_pkexec_block
stap_pkexec_block     434176  0
[root@demo devops]# ls -al /root/
total 32
dr-xr-x---.  4 root root 210 Jan 27 21:35 .
dr-xr-xr-x. 17 root root 224 Dec  3 15:29 ..
-rw-------.  1 root root 789 Jan 27 21:30 .bash_history
-rw-r--r--.  1 root root  18 Aug 12  2018 .bash_logout
-rw-r--r--.  1 root root 176 Aug 12  2018 .bash_profile
-rw-r--r--.  1 root root 176 Aug 12  2018 .bashrc
-rw-r--r--.  1 root root 100 Aug 12  2018 .cshrc
drwx------.  2 root root  44 Jan 24 16:09 .gnupg
drwxr-xr-x.  3 root root  19 Jan 27 21:34 .systemtap
-rw-r--r--.  1 root root 129 Aug 12  2018 .tcshrc
-rw-------.  1 root root 923 Jan 24 17:37 .viminfo
-rw-r--r--.  1 root root   0 Jan 27 21:35 pkexec-block.log.0
-rw-------.  1 root root  97 Jan 27 21:34 pkexec-block.stp
[root@demo devops]# ls -al /root/pkexec-block.*
-rw-r--r--. 1 root root  0 Jan 27 21:35 /root/pkexec-block.log.0
-rw-------. 1 root root 97 Jan 27 21:34 /root/pkexec-block.stp
[root@demo devops]#

Conclusion

Now you know how to mitigate the Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook 1.0 published on RHSB-2022–001.

See also: Detect Apache Log4j CVE-2021-44228 with Ansible Playbook

Related Articles

Ansible become guidehow Ansible inventory works

About PwnKit (CVE-2021-4034)

PwnKit is a local privilege escalation vulnerability in Polkit's pkexec utility, present in every major Linux distribution since 2009. Any unprivileged user can exploit it to gain root access. • CVSS Score: 7.8 (High) • Affected: All Linux distributions with Polkit installed • Impact: Local privilege escalation to root • Fix: Update polkit package or remove SUID bit from pkexec

See also: Configuring Kernel Parameters in RedHat-like Linux Systems with Ansible System Role

Quick Check: Is Your System Vulnerable?

- name: Check if system is vulnerable to PwnKit
  hosts: all
  become: true
  tasks:
    - name: Check pkexec SUID bit
      ansible.builtin.stat:
        path: /usr/bin/pkexec
      register: pkexec_stat

- name: Check polkit version
      ansible.builtin.command: rpm -q polkit
      register: polkit_version
      changed_when: false
      failed_when: false


- name: Report vulnerability status
      ansible.builtin.debug:
        msg: >
          pkexec exists: {{ pkexec_stat.stat.exists | default(false) }},
          SUID: {{ pkexec_stat.stat.isuid | default(false) }},
          Polkit version: {{ polkit_version.stdout | default('not installed') }}

Permanent Fix: Update Polkit

- name: Permanently fix PwnKit vulnerability
  hosts: all
  become: true
  tasks:
    - name: Update polkit package (RHEL/CentOS)
      ansible.builtin.dnf:
        name: polkit
        state: latest
      when: ansible_os_family == "RedHat"

- name: Update polkit package (Debian/Ubuntu)
      ansible.builtin.apt:
        name: policykit-1
        state: latest
        update_cache: true
      when: ansible_os_family == "Debian"

FAQ

Is PwnKit exploitable remotely?

No. PwnKit requires local access to the system. However, if an attacker gains any user-level access (e.g., via a web application vulnerability), they can escalate to root.

Should I remove SUID or update the package?

Updating the package is the permanent fix. Removing the SUID bit is a temporary mitigation for systems that can't be updated immediately. Some applications may require pkexec to function.

How do I verify the fix worked?

After patching, verify with: stat -c '%a' /usr/bin/pkexec. If the SUID bit is still needed but the package is patched, the vulnerability is mitigated.

Category: installation

Watch the video: Mitigate CVE-2021-4034 on RHEL with Ansible Playbook — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home