Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Got Linux? Don't look now, but a 12-year-old bug could let a hacker gain absolute power over your system. Fix included in article   (arstechnica.com) divider line
    More: Scary, Privilege escalation, Linux distribution, firm Qualys, Exploitation, Linux users, concept exploit code, last June, 12-year-old vulnerability  
•       •       •

981 clicks; posted to STEM » on 26 Jan 2022 at 1:56 PM (16 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



27 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2022-01-26 1:43:51 PM  
Well, that certainly explains my uncontrollable urge to make someone a sandwich.
 
2022-01-26 1:48:44 PM  
Here's your exploit: https://github.com/berdav/CVE-2021-4034

There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.
 
2022-01-26 2:10:30 PM  

Tr0mBoNe: There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.


On one hand, the type of distro that won't receive a patch would be an Internet of Things device.  On the other hand, those are probably least vulnerable since you need to be an authenticated logged in user for this attack to work.   If you're logging into those, you're already root.
 
2022-01-26 2:14:26 PM  
Forget that, I want to know why suddenly it's not finding my bluetooth plug in
 
2022-01-26 2:15:21 PM  

MusicMakeMyHeadPound: Tr0mBoNe: There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.

On one hand, the type of distro that won't receive a patch would be an Internet of Things device.  On the other hand, those are probably least vulnerable since you need to be an authenticated logged in user for this attack to work.   If you're logging into those, you're already root.


I believe they were more getting at the fact if you're using a distro that doesn't use Policy Kit you're not using a distro that has any semblance to a mainstream distro.

Properly a distro for a IoT device should be pretty stripped down and Policy Kit probably should be one of those things stripped out.
 
2022-01-26 2:17:07 PM  

SMB2811: Properly a distro for a IoT device should be pretty stripped down and Policy Kit probably should be one of those things stripped out.


Properly? That requires work. Far easier to just ship the reference code.

\ The S in IoT stands for security.
 
2022-01-26 2:18:12 PM  

MusicMakeMyHeadPound: Tr0mBoNe: There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.

On one hand, the type of distro that won't receive a patch would be an Internet of Things device.  On the other hand, those are probably least vulnerable since you need to be an authenticated logged in user for this attack to work.   If you're logging into those, you're already root.


When the fark did IoT garbage gain any form of security in the first place?
 
2022-01-26 2:25:45 PM  

lifeslammer: MusicMakeMyHeadPound: Tr0mBoNe: There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.

On one hand, the type of distro that won't receive a patch would be an Internet of Things device.  On the other hand, those are probably least vulnerable since you need to be an authenticated logged in user for this attack to work.   If you're logging into those, you're already root.

When the fark did IoT garbage gain any form of security in the first place?


Oh. Right. STEM tab. I keep forgetting I need to spell things out carefully here.

Long story short: I agreed with you before you even posted, ya dingleberry.
 
2022-01-26 2:52:47 PM  
Maybe this will make the distros re-evaluate the need for this ancient package as a default part of the OS. Only a a couple of the most venerable linux greybeards at my place of work even know how what this is and none of them had ever used it.
 
2022-01-26 2:53:54 PM  
Everyone knew about securing root.

Nobody knew about root2.
 
2022-01-26 3:00:07 PM  
Is the fix patch your servers in the normal way that everyone should be doing regularly anyway?
 
2022-01-26 3:08:48 PM  
Is this the year of Linux on the desktop?
 
2022-01-26 3:15:36 PM  
I have absolute power!

y.yarn.coView Full Size
 
2022-01-26 3:20:46 PM  

PirateKing: Everyone knew about securing root.

Nobody knew about root2.


Fark user imageView Full Size
 
2022-01-26 3:26:54 PM  

WhackingDay: Maybe this will make the distros re-evaluate the need for this ancient package as a default part of the OS. Only a a couple of the most venerable linux greybeards at my place of work even know how what this is and none of them had ever used it.


Yes they have. PolKit is pretty core to a whole lot of actions on a Linux host, especially using any of the major GUI environments. Ever typed a privileged systemctl command without sudo and had it ask you for the root password? That was polkit. Turned on a VPN under NetworkManager without having to put in the root password or sudo? That was polkit.
 
2022-01-26 3:27:08 PM  
This is why I created my own operating system, processors and chip sets.
 
2022-01-26 4:24:56 PM  

Tr0mBoNe: Here's your exploit: https://github.com/berdav/CVE-2021-4034

There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.



its a shame that local access (username/password) to the computer is required.  i thought this was an actual remote exploit.

more Drama from the Drama Queens.......
 
2022-01-26 4:26:27 PM  

Destructor: This is why I created my own operating system, processors and chip sets.



its the only way to be sure.    Open Source chips are coming, though.   Tropic Square (owned by Trezor Labs) are currently working on the world's first open source security chip for crypto hardwallets, etc.
 
2022-01-26 4:27:33 PM  

mcreadyblue: Is this the year of Linux on the desktop?



Kicking ass everywhere except the desktop.............

course, having 98% of the computers bought with windows already installed does skew things a bit..........
 
2022-01-26 4:29:14 PM  

WhackingDay: Maybe this will make the distros re-evaluate the need for this ancient package as a default part of the OS. Only a a couple of the most venerable linux greybeards at my place of work even know how what this is and none of them had ever used it.



stop that!!

you are supposed to say that windows is much more secure and that THIS is the year of the Linux desktop!

you've disappointed so many Farkers with your comment.
 
2022-01-26 4:54:53 PM  

WhackingDay: Maybe this will make the distros re-evaluate the need for this ancient package as a default part of the OS. Only a a couple of the most venerable linux greybeards at my place of work even know how what this is and none of them had ever used it.


encrypted-tbn0.gstatic.comView Full Size


But rancid polkit keeps my server nice and scalely
 
2022-01-26 5:05:53 PM  

drjekel_mrhyde: PirateKing: Everyone knew about securing root.

Nobody knew about root2.

[Fark user image 666x445]


No idea who she is, but she is cute.

Article posted online 5:55 pm 25th. Got a patch this morning.
 
2022-01-26 6:59:26 PM  
... Aaaand I've already patched all our systems.

The fix doesn't even require a reboot.
 
2022-01-26 7:56:04 PM  

Linux_Yes: Tr0mBoNe: Here's your exploit: https://github.com/berdav/CVE-2021-4034

There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.


its a shame that local access (username/password) to the computer is required.  i thought this was an actual remote exploit.


You are so wrong that you should slap yourself for posting this idiocy. The vulnerability can be exploited by anyone with CLI access, which includes remote access, e.g. via ssh.
 
2022-01-26 8:07:39 PM  

Drunk and Bitter Jesus: Linux_Yes: Tr0mBoNe: Here's your exploit: https://github.com/berdav/CVE-2021-4034

There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.


its a shame that local access (username/password) to the computer is required.  i thought this was an actual remote exploit.

You are so wrong that you should slap yourself for posting this idiocy. The vulnerability can be exploited by anyone with CLI access, which includes remote access, e.g. via ssh.


You're misunderstanding his use of "local access". He clarifies his meaning in the brackets.

You need one step further than just SSH to exploit it, you need a valid username and password.
 
2022-01-26 9:01:38 PM  

dyhchong: Drunk and Bitter Jesus: Linux_Yes: Tr0mBoNe: Here's your exploit: https://github.com/berdav/CVE-2021-4034

There are patches out, too. If your Linux distro is not affected, get a better distro you hipster.


its a shame that local access (username/password) to the computer is required.  i thought this was an actual remote exploit.

You are so wrong that you should slap yourself for posting this idiocy. The vulnerability can be exploited by anyone with CLI access, which includes remote access, e.g. via ssh.

You're misunderstanding his use of "local access". He clarifies his meaning in the brackets.

You need one step further than just SSH to exploit it, you need a valid username and password.


That's still a remote exploit, just one which requires authentication. Allowing any authenticated user to gain root access is still one hell of a vulnerability.
 
2022-01-27 5:28:15 AM  

Destructor: This is why I created my own operating system, processors and chip sets.


This is why I use TempleOS.
 
Displayed 27 of 27 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.