CVE-2021-4034 - Local privilege escalation in pkexec

How does this vulnerability affect Kasm Workspaces

Vulnerability Summary

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Further details on vulnerability CVE-2021-4043.  

Kasm Services

Kasm service containers include: nginx, postgres, redis, kasm_api, kasm_manager, and kasm_share services. These containers do not contain the effected package. Generally speaking, for the highest degree of security, administrators should use the rolling versions of service containers, which are built regularly. Kasm versions 1.9.0 and above have rolling images which are built weekly.

Kasm Desktop and Application Workspace Images

The Kasm Workspaces core images contain the effected package, policykit-1. While the effected package exists on the container images, the ability to exploit the vulnerability is blocked by Kasm's use of the libnss_wrapper to obfuscate the user running in the container from the underlying host. This is true for all images with the exception of the Remnux image, which is vulnerable. The recommendation is to use the rolling tagged version of each image and rebuild custom images to base from the rolling tagged images. Rolling desktop/app images are rebuilt nightly and updated in Docker Hub. 

The following table lists all images. The status column shows if the image is patched, mitigated, or vulnerable 1.9.0, 1.9.0-rolling, 1.10.0, and 1.10.0-rolling tagged images. Future releases beyond 1.10.0 will be patched for all tags. Releases previous to 1.9.0 should be updated and use rolling tags to ensure all containers are up to date.