Are AppChecks internal hub vulnerable to PKEXEC-CVE-2021-4034?
We can confirm that AppChecks internal hubs are not vulnerable to PKEXEC-CVE-2021-4034. This is because the 'pkexec' program is not installed on the internal hubs. AppCheck regularly test and monitor our internal hubs (as well as our internal infrastructure for current and emerging vulnerabilities, and patch internal hubs on a regular basis).
What is PKEXEC-CVE-2021-4034?
From pkexec man page:
pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.
For example, on a Linux terminal, if I perform the 'whoami' command on the terminal, it will return my username, in this case lets call our user 'pkexec-user'.
Now if I run the pkexec program and pass the 'whoami' command as an argument, 'pkexec whoami', it will return 'root' (given that the user 'pkexec-user' has the authority to run programs as root and the password is supplied).
This is because no username was specified, so the pkexec program executed the command 'whoami' as root, as mentioned above from pkexec description.
In this vulnerability pkexec does not correctly count the calling parameters and as a result it executes environment variables as commands. This allows a user that does not necessarily have permission to run a certain command through pkexec to run it by crafting an environment variable to store the command.
It is important to note the "local users", this means that in order to exploit the vulnerability, you have to have access to the machine as a user.