Product: Stratusphere UX
Product Version: 6.5.1
Expires on: 365 days from publish date
Updated: Jan, 2022
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation giving unprivileged users administrative rights on the target machine.
Temporary remediation and changes to base logon accounts.
1. Putty into HUB/DB/Collector as ssconsole / sspassword
- Select "P" for Passwords
- Change all of the users default password from those menus and make sure to document them.
2. Remove the SUID-bit from pkexec as a temporary mitigation.
- Logon to Stratusphere HUB, DB or Collector as friend
- Switch to root user using "su -"
- Execute the following command:
- # chmod 0755 /usr/bin/pkexec
- # ls -ltr /usr/bin/pkexec
-rwsr-xr-x. 1 root root 29048 Jun 4 2021 /usr/bin/pkexec
# chmod 0755 /usr/bin/pkexec
# ls -ltr /usr/bin/pkexec
-rwxr-xr-x. 1 root root 29048 Jun 4 2021 /usr/bin/pkexec
- Log out as root
- ctrl + d
- Test if you can execute the package, it should fail for permissions
pkexec must be setuid root
Our team is aware of the vulnerability and is making sure it is remediated in our upcoming release for 6.6.0 in February.
At this time please make sure the default passwords have been changed, as they should be for best practices, otherwise air gapped and restricted environments should be safe from external attacks.