VyOS vulnerable to CVE-2021-4034

Built a fresh image of 1.4 this morning and used the POC here to confirm VyOS is vulnerable.

sh-5.1$ cat /etc/os-release 

PRETTY_NAME="VyOS 1.4-rolling-202201272046 (sagitta)"
NAME="VyOS"
VERSION_ID="1.4-rolling-202201272046"
VERSION="1.4-rolling-202201272046 (sagitta)"
VERSION_CODENAME=bullseye
ID=vyos
HOME_URL="https://vyos.io"
SUPPORT_URL="https://support.vyos.io"
BUG_REPORT_URL="https://phabricator.vyos.net"

sh-5.1$ id
uid=1003(test) gid=1003(test) groups=1003(test)
sh-5.1$ ./cve-2021-4034-poc
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root),1003(test)
sh-5.1#

I just did a new build of VyOS 1.3 and it pulled in the fixed version of policykit-1:

vyos@vyos:~$ sudo dpkg -l policykit-1
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-=============================================================
ii  policykit-1    0.105-25+deb10u1 amd64        framework for managing administrative policies and privileges

I would imagine new builds of VyOS 1.4 would also pull in the updated package. Not sure about VyOS 1.2 since it is based on Debian Jessie.

1.2 is not for sure. At least I verified 1.2.8

I can confirm it is no longer working on current builds of 1.3, it is however still effecting 1.4.

test@router:~/CVE-2021-4034$ cat /etc/os-release 

PRETTY_NAME="VyOS 1.4-rolling-202201312234 (sagitta)"
NAME="VyOS"
VERSION_ID="1.4-rolling-202201312234"
VERSION="1.4-rolling-202201312234 (sagitta)"
VERSION_CODENAME=bullseye
ID=vyos
HOME_URL="https://vyos.io"
SUPPORT_URL="https://support.vyos.io"
BUG_REPORT_URL="https://phabricator.vyos.net"

test@router:~/CVE-2021-4034$ id
uid=1003(test) gid=1000(test) groups=1000(test)
test@router:~/CVE-2021-4034$ ./cve-2021-4034-poc
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root),1000(test)