Writing vulnerability checks - CVE-2021-4034


I want to know if it is possible to write vulnerability checks for vulnerability CVE-2021-4034. Because in IVM it already exists to find the cve, but it doesn’t have it for mitigation.

To mitigate this vulnerability it is necessary to run the command chmod 0755 /usr/bin/pkexec, however, with the command stat /usr/bin/pkexec I can verify if the stick bit was changed thus mitigating.

Because today the IVM only points out the polkit binary as vulnerable and the update as a solution, but we have many servers and it will not be possible to update at this moment and we are applying the mitigation, but I cannot know how many servers the infrastructure team has already applied this mitigation.

are you saying you want to create your own vulnerability check?

Hi Pete,

Yes, because at this moment I won’t be able to update all Linux servers and as there is this mitigation somehow I want the IVM to check if the mitigation has been applied.