CVE-2021-41133

Published on: 10/08/2021 12:00:00 AM UTC

Last Modified on: 12/04/2021 03:04:00 AM UTC

CVE-2021-41133 - advisory for GHSA-67h7-w3jq-vh4q

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Certain versions of Debian Linux from Debian contain the following vulnerability:

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.

  • CVE-2021-41133 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo flatpak - flatpak version >= 1.8.0, <= 1.8.2
  • Affected Vendor/Software: URL Logo flatpak - flatpak version >= 1.10.0, < 1.10.4
  • Affected Vendor/Software: URL Logo flatpak - flatpak version >= 1.11.0, < 1.12.0

CVSS3 Score: 7.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 4.6 - MEDIUM

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
common: Add a list of recently-added Linux syscalls · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
run: Add cross-references for some other seccomp syscall filters · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
run: Don't allow unmounting filesystems · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
run: Disallow recently-added mount-manipulation syscalls · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
[SECURITY] Fedora 33 Update: flatpak-1.10.5-1.fc33 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2021-c5a9c85737
Debian -- Security Information -- DSA-4984-1 flatpak www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-4984
run: Add an errno value to seccomp filters · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
run: Don't allow chroot() · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
CVE-2021-41133: Sandbox bypass via recent VFS-manipulating syscalls · Advisory · flatpak/flatpak · GitHub github.com
text/html
URL Logo CONFIRM github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 www.openwall.com
text/html
URL Logo MLIST [oss-security] 20211026 WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006
run: Block clone3() in sandbox · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
run: Block setns() · flatpak/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
[SECURITY] Fedora 34 Update: flatpak-1.10.5-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2021-4b201d15e6

Related QID Numbers

  • 159441 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-4042)
  • 159442 Oracle Enterprise Linux Security Update for flatpak (ELSA-2021-4044)
  • 178821 Debian Security Update for flatpak (DSA 4984-1)
  • 239746 Red Hat Update for flatpak (RHSA-2021:4044)
  • 239747 Red Hat Update for flatpak (RHSA-2021:4042)
  • 239763 Red Hat Update for flatpak (RHSA-2021:4107)
  • 239770 Red Hat Update for flatpak (RHSA-2021:4106)
  • 257125 CentOS Security Update for flatpak (CESA-2021:4044)
  • 281974 Fedora Security Update for flatpak (FEDORA-2021-4b201d15e6)
  • 282022 Fedora Security Update for flatpak (FEDORA-2021-c5a9c85737)
  • 751256 OpenSUSE Security Update for flatpak (openSUSE-SU-2021:3472-1)
  • 751305 OpenSUSE Security Update for flatpak (openSUSE-SU-2021:1400-1)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
DebianDebian Linux11.0AllAllAll
Operating
System
FedoraprojectFedora33AllAllAll
Operating
System
FedoraprojectFedora34AllAllAll
ApplicationFlatpakFlatpakAllAllAllAll
  • cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
  • cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-41133 : Flatpak is a system for building, distributing, and running sandboxed desktop applications on… twitter.com/i/web/status/1… 2021-10-08 14:11:54
Twitter Icon @ThreatUpdates CVE-2021-41133: Flatpack, in combination with Wayland and Pipewire, can break through sandboxing. Flatpack is still… twitter.com/i/web/status/1… 2021-10-08 16:54:40
Twitter Icon @threatmeter CVE-2021-41133 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.… twitter.com/i/web/status/1… 2021-10-09 07:09:36
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report