28
January 2022
Linux PolicyKit vulnerability no risk for Osirium PAM
Mark Warren
A vulnerability in Linux, that has been lurking for 12 years, has recently come to light (read more here). The good news, in short, is that there's no practical risk for Osirium PAM users.
Officially designated CVE-2021-4034, the vulnerability is in Polkit (previously known as policykit) that allows unprivileged users to run commands with elevated privileges using pkexec. A memory corruption bug in Polkit could allow for an attacker to elevate a command to root-level privileges.
The Osirium PAM virtual appliance is based on a long-term support version of Ubuntu Linux which includes an affected version of Polkit. In reality, there is no practical risk as the virtual appliance is only accessible by PAM SuperAdmin users who already have root level access via the osirium_support account.
The virtual appliance will be updated with the forthcoming PAM v8.0.2 release to include an updated version of Polkit.
For completeness: neither Osirium PEM or Automation/PPA are affected as their virtual appliances don't include an affected OS.