A memory corruption vulnerability (CVE-2021-4034) in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. To a certain extent, this may be related to TOTPRadius, as the appliance is based on standard Ubuntu distribution (20 LTS), therefore we are providing an update.
Although the CVE itself is classified as High by Canonical, in our context, it would reclassify as "Low" for the following reasons:
• TOTPRadius only has one main user (username totpradius) and there should not be any other user added to the system
• TOTPRadius should be deployed inside your secure network perimeter, which means SSH and admin access is only allowed for trusted subnets.
For the reasons above, if these recommendations were followed, the risks are minimal. However, we still recommend updating your appliance as described below.
• Our appliances run standard Ubuntu operating system, so the mitigation should follow the standard recommendation for Ubuntu 20 (running usual
apt-get update ; sudo apt-get upgrade should be enough). This has to be a common practice for all Ubuntu boxes irrelevant to what they are used for.
• Alternatively, you can patch the polkit package separately
• In case patching is not possible for your TOTPRadius appliance (i.e. it was deployed without Internet access etc.), you can simply remove the SUID-bit from pkexec executable (run
chmod 0755 /usr/bin/pkexec). This will not break anything as pkexec functionality is not required nor used by TOTPRadius
• As this is an OS issue, it is not possible to provide a patch via TOTPRadius patching system. We will make sure the next release is built on an up-to-date version of Ubuntu (which is our standard practice for new releases)