CVE-2021-21261
Flatpak sandbox escape via spawn portal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.
Flatpak es un sistema para crear, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. Se detectó un fallo en el servicio "flatpak-portal" que puede permitir que las aplicaciones en sandbox ejecuten código arbitrario en el sistema host (un escape del sandbox). Este fallo de escape del sandbox está presente en las versiones 0.11.4 y anteriores a las versiones reparadas 1.8.5 y 1.10.0. El servicio D-Bus del portal Flatpak ("flatpak-portal", también conocido por su nombre de servicio D-Bus "org.freedesktop.portal.Flatpak") permite que las aplicaciones en un sandbox de Flatpak inicien sus propios subprocesos en una nueva instancia del sandbox, ya sea con la misma configuración de seguridad que la persona que llama o con una configuración de seguridad más restrictiva. Por ejemplo, esto se usa en navegadores web empaquetados con Flatpak, como Chromium, para iniciar subprocesos que procesarán contenido web no confiable. y dar a esos subprocesos un sandbox más restrictivo que el propio navegador. En versiones vulnerables, el servicio del portal Flatpak pasa las variables de entorno especificadas por la persona que llama hacia procesos que no están en el sandbox en el sistema host y, en particular, al comando "flatpak run" que se usa para iniciar la nueva instancia del sandbox. Una aplicación Flatpak maliciosa o comprometida podría establecer variables de entorno en las que confíe el comando "flatpak run" y usarlas para ejecutar código arbitrario que no se encuentra en un sandbox. Como solución alternativa, esta vulnerabilidad puede ser mitigada evitando que se inicie el servicio "flatpak-portal", pero esa mitigación impedirá que muchas aplicaciones de Flatpak funcionen correctamente. Esto se corrige en las versiones 1.8.5 y 1.10.0
A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-01-14 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba | Third Party Advisory | |
| https://github.com/flatpak/flatpak/releases/tag/1.8.5 | Third Party Advisory | |
| https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202101-21 | 2021-01-27 | |
| https://www.debian.org/security/2021/dsa-4830 | 2021-01-27 | |
| https://access.redhat.com/security/cve/CVE-2021-21261 | 2021-02-04 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1917430 | 2021-02-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 0.11.4 < 1.8.5 Search vendor "Flatpak" for product "Flatpak" and version " >= 0.11.4 < 1.8.5" | - |
Affected
| ||||||
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 1.9.1 < 1.10.0 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.9.1 < 1.10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||