Mitigate CVE-2021-4034 on RHEL with Ansible Playbook — Video Tutorial
HUse Ansible to mitigate CVE-2021-4034 on RHEL systems. Automate the installation of SystemTap, debugging packages, and deploy mitigation scripts.
Watch Video
Watch "Mitigate CVE-2021-4034 on RHEL with Ansible Playbook" on YouTube
What You'll Learn
- What is Polkit Privilege Escalation - (CVE-2021–4034)?
- Links
- code
- execution
- before execution
- after execution
- Conclusion
- Related Articles
- About PwnKit (CVE-2021-4034)
- Quick Check: Is Your System Vulnerable?
Full Tutorial Content
What is Polkit Privilege Escalation - (CVE-2021–4034)?
- "A memory corruption vulnerability in Polkit's pkexec, witch allows any unprivileged user to gain full root privilege on a vulnerable system using default polkit configuration"
cit. Bharat Jogi, qualys.com
{{< vimeo 669715589 >}}
Links
- [In deth analysis from Bharat Jogi, qualys.com](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
- [Red Hat CVE-2021-4034](https://access.redhat.com/security/cve/CVE-2021-4034)
- [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook)
## Playbook
How to mitigrate Polkit Privilege Escalation - PWNKIT (CVE-2021–4034) on RedHat-like systems using the Ansible Playbook downloaded from RHSB-2022–001.
code
Code downloaded from [Red Hat RHSB-2022-001 Ansible Playbook 1.0](https://access.redhat.com/security/vulnerabilities/RHSB-2022-001#ansible-playbook) .
execution
```bash
ansible-pilot $ ansible-playbook -i virtualmachines/demo/inventory -e "HOSTS=demo.example.com" cve-2021-4034/cve-2021-4034_stap_mitigate--2022-01-25-0936.yml
PLAY [Block pkexec with empty first argument with systemtap] **************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [Install systemtap packages] *****************************************************************
changed: [demo.example.com]
TASK [(RHEL 7) Install kernel debuginfo] **********************************************************
skipping: [demo.example.com]
TASK [(RHEL 6/8) Install polkit debuginfo] ********************************************************
changed: [demo.example.com]
TASK [(RHEL 6) Install libselinux-python] *********************************************************
skipping: [demo.example.com]
TASK [Create systemtap script] ********************************************************************
changed: [demo.example.com]
TASK [Checking if stap_pkexec_block module is already loaded] *************************************
ok: [demo.example.com]
TASK [Install systemtap script] *******************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=6 changed=4 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
ansible-pilot $
```
before execution
```bash
ansible-pilot $ ssh devops@demo.example.com
Last login: Thu Jan 27 21:28:44 2022 from 192.168.0.102
[devops@demo ~]$ sudo su
[root@demo devops]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linu
About This Tutorial
- Author: Luca Berton
- Difficulty: Beginner
- Read time: 4 min
- Category: installation
Read the full written article: Mitigate CVE-2021-4034 on RHEL with Ansible Playbook
Topics Covered
Related Video Tutorials
- Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228) — Learn how my Ansible Playbook was featured in Red Hat Security Bulletin RHSB-2021-009 to address the Log4Shell vulnerability (CVE-2021-44228).
- Detect Apache Log4j CVE-2021-44228 with Ansible Playbook — Use Ansible to automate the detection of Apache Log4j CVE-2021-44228 vulnerability. Follow this guide to set up and run detection scripts efficiently.
- Configuring Kernel Parameters in RedHat-like Linux Systems with Ansible System Role — Learn how to configure kernel parameters in RedHat-like Linux systems using the Ansible System Role.
- Ansible SELinux: Manage Modes, Booleans & Contexts (Complete Guide) — How to automate the enabling or disabling of SELinux Permissive policy per single process or domain keeping the whole system under enforcing policy and make it.
- Ansible seboolean Module: Enable & Disable SELinux Booleans (Guide) — How to manage SELinux booleans with Ansible seboolean module. Enable, disable, and persist SELinux boolean settings. List available booleans.
- Ansible modprobe: Load & Unload Linux Kernel Modules (Guide) — How to load and unload Linux kernel modules with Ansible modprobe module. Manage drivers, configure module parameters, and persist across reboots with examples.