kyle
1
Built a fresh image of 1.4 this morning and used the POC here to confirm VyOS is vulnerable.
sh-5.1$ cat /etc/os-release
PRETTY_NAME="VyOS 1.4-rolling-202201272046 (sagitta)"
NAME="VyOS"
VERSION_ID="1.4-rolling-202201272046"
VERSION="1.4-rolling-202201272046 (sagitta)"
VERSION_CODENAME=bullseye
ID=vyos
HOME_URL="https://vyos.io"
SUPPORT_URL="https://support.vyos.io"
BUG_REPORT_URL="https://phabricator.vyos.net"
sh-5.1$ id
uid=1003(test) gid=1003(test) groups=1003(test)
sh-5.1$ ./cve-2021-4034-poc
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root),1003(test)
sh-5.1#
1 Like
p252
2
I just did a new build of VyOS 1.3 and it pulled in the fixed version of policykit-1:
vyos@vyos:~$ sudo dpkg -l policykit-1
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-=============================================================
ii policykit-1 0.105-25+deb10u1 amd64 framework for managing administrative policies and privileges
I would imagine new builds of VyOS 1.4 would also pull in the updated package. Not sure about VyOS 1.2 since it is based on Debian Jessie.
blason
3
1.2 is not for sure. At least I verified 1.2.8
kyle
4
I can confirm it is no longer working on current builds of 1.3, it is however still effecting 1.4.
test@router:~/CVE-2021-4034$ cat /etc/os-release
PRETTY_NAME="VyOS 1.4-rolling-202201312234 (sagitta)"
NAME="VyOS"
VERSION_ID="1.4-rolling-202201312234"
VERSION="1.4-rolling-202201312234 (sagitta)"
VERSION_CODENAME=bullseye
ID=vyos
HOME_URL="https://vyos.io"
SUPPORT_URL="https://support.vyos.io"
BUG_REPORT_URL="https://phabricator.vyos.net"
test@router:~/CVE-2021-4034$ id
uid=1003(test) gid=1000(test) groups=1000(test)
test@router:~/CVE-2021-4034$ ./cve-2021-4034-poc
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root),1000(test)