// For flags

CVE-2021-41133

Sandbox bypass via recent VFS-manipulating syscalls

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.

Flatpak es un sistema para construir, distribuir y ejecutar aplicaciones de escritorio en sandbox en Linux. En versiones anteriores a 1.10.4 y 1.12.0, las aplicaciones Flatpak con acceso directo a los sockets AF_UNIX, como los usados por Wayland, Pipewire o pipewire-pulse, pueden engañar a los portales y otros servicios del sistema operativo anfitrión para que traten la aplicación Flatpak como si fuera un proceso ordinario del Sistema Operativo anfitrión sin sandbox. Pueden hacer esto al manipular el VFS usando recientes llamadas al sistema relacionadas con el montaje que no están bloqueadas por el filtro seccomp de Flatpak, para sustituir un "/.flatpak-info" diseñado o hacer que ese archivo desaparezca por completo. Las aplicaciones Flatpak que actúan como clientes de sockets AF_UNIX como los usados por Wayland, Pipewire o pipewire-pulse pueden escalar los privilegios que los servicios correspondientes creerán que presenta la aplicación Flatpak. Ten en cuenta que los protocolos que operan completamente sobre el bus de sesión D-Bus (bus de usuario), el bus de sistema o el bus de accesibilidad no están afectados por esto. Esto es debido al uso de un proceso proxy "xdg-dbus-proxy", cuyo VFS no puede ser manipulado por la app Flatpak, cuando interactúa con estos buses. Se presentan parches para las versiones 1.10.4 y 1.12.0, y en el momento de la publicación, se está planeando un parche para la versión 1.8.2. No se presentan soluciones aparte de la actualización a una versión parcheada

A flaw was found in the flatpak package. It is susceptible to a software flaw that can deceive portals and other host-OS services into treating the flatpak app as an ordinary, non-sandboxed host-OS process. This flaw allows the escalation of privileges that the corresponding services presume the flatpak app has. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-09-15 CVE Reserved
  • 2021-10-08 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
References (16)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Flatpak
Search vendor "Flatpak"
Flatpak
Search vendor "Flatpak" for product "Flatpak"
< 1.8.2
Search vendor "Flatpak" for product "Flatpak" and version " < 1.8.2"
-
Affected
Flatpak
Search vendor "Flatpak"
Flatpak
Search vendor "Flatpak" for product "Flatpak"
>= 1.10.0 < 1.10.4
Search vendor "Flatpak" for product "Flatpak" and version " >= 1.10.0 < 1.10.4"
-
Affected
Flatpak
Search vendor "Flatpak"
Flatpak
Search vendor "Flatpak" for product "Flatpak"
>= 1.11.1 < 1.12.1
Search vendor "Flatpak" for product "Flatpak" and version " >= 1.11.1 < 1.12.1"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected