Vulnerability Details : CVE-2021-41133
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Vulnerability category: Input validation
Products affected by CVE-2021-41133
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
- cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41133
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41133
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.0
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2021-41133
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2021-41133
-
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
run: Block clone3() in sandbox · flatpak/flatpak@a10f52a · GitHubPatch;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
run: Don't allow chroot() · flatpak/flatpak@462fca2 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/
[SECURITY] Fedora 33 Update: flatpak-1.10.5-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
run: Disallow recently-added mount-manipulation syscalls · flatpak/flatpak@9766ee0 · GitHubPatch;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
run: Add cross-references for some other seccomp syscall filters · flatpak/flatpak@89ae9fe · GitHubPatch;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
run: Block setns() · flatpak/flatpak@4c34815 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/
[SECURITY] Fedora 34 Update: flatpak-1.10.5-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
run: Don't allow unmounting filesystems · flatpak/flatpak@1330662 · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4984
Debian -- Security Information -- DSA-4984-1 flatpakThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/
[SECURITY] Fedora 34 Update: flatpak-1.10.5-1.fc34 - package-announce - Fedora Mailing-Lists
-
https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
common: Add a list of recently-added Linux syscalls · flatpak/flatpak@26b1248 · GitHubPatch;Third Party Advisory
-
https://security.gentoo.org/glsa/202312-12
Flatpak: Multiple Vulnerabilities (GLSA 202312-12) — Gentoo security
-
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Sandbox bypass via recent VFS-manipulating syscalls · Advisory · flatpak/flatpak · GitHubPatch;Third Party Advisory
-
https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
run: Add an errno value to seccomp filters · flatpak/flatpak@e26ac75 · GitHubPatch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/26/9
oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/
[SECURITY] Fedora 33 Update: flatpak-1.10.5-1.fc33 - package-announce - Fedora Mailing-Lists
Jump to