CVE-2021-41133
Sandbox bypass via recent VFS-manipulating syscalls
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden engañar a los portales y otros servicios del sistema operativo anfitrión para que traten la aplicación Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitrión sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no están bloqueadas por el filtro seccomp de Flatpak, para sustituir un "/.flatpak-info" diseñado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que actúan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creerán que presenta la aplicación Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesión D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no están afectados por esto. Esto es debido al uso de un proceso proxy "xdg-dbus-proxy", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interactúa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicación, se está planeando un parche para la versión 1.8.2. No se presentan soluciones aparte de la actualización a una versión parcheada
A flaw was found in the flatpak package. It is susceptible to a software flaw that can deceive portals and other host-OS services into treating the flatpak app as an ordinary, non-sandboxed host-OS process. This flaw allows the escalation of privileges that the corresponding services presume the flatpak app has. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2021-09-15 CVE Reserved
- 2021-10-08 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (16)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2021/10/26/9 | Mailing List |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | < 1.8.2 Search vendor "Flatpak" for product "Flatpak" and version " < 1.8.2" | - |
Affected
| ||||||
Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 1.10.0 < 1.10.4 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.10.0 < 1.10.4" | - |
Affected
| ||||||
Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 1.11.1 < 1.12.1 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.11.1 < 1.12.1" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
|