Bug 1191507 - (CVE-2021-41133) VUL-0: CVE-2021-41133: flatpak: Sandbox bypass via recent VFS-manipulating syscalls
(CVE-2021-41133)
VUL-0: CVE-2021-41133: flatpak: Sandbox bypass via recent VFS-manipulating sy...
Status: REOPENED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: E-mail List
E-mail List
https://smash.suse.de/issue/312184/
CVSSv3.1:SUSE:CVE-2021-41133:8.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-09 09:17 UTC by Andreas Stieger
Modified: 2022-08-08 15:14 UTC (History)
7 users (show)

See Also:
Found By: Critical Area Rapid Test Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2021-10-09 09:17:55 UTC
An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.

Impact

Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has.

Mitigation: Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses.

Patches

The short-term solution is to expand the deny-list of syscalls in the seccomp filter:

https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf

Follow-up hardening is likely to convert the deny-list into an allow-list, and/or block namespace transitions in some other way.

Affected versions:
1.11.x, 1.10.x <= 1.10.3, 1.8.x <= 1.8.2
Patched versions 1.10.4, 1.12.0, also expected in 1.8.2

References:
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Comment 2 Robert Frohl 2021-10-11 15:13:25 UTC
tracking as affected for now:

- SUSE:SLE-15:Update/flatpak
- SUSE:SLE-15-SP1:Update/flatpak
- SUSE:SLE-15-SP2:Update/flatpak
Comment 3 Robert Frohl 2021-10-11 15:13:32 UTC
Thanks for opening the bug Andreas!
Comment 4 Dominique Leuenberger 2021-10-19 11:59:59 UTC
Flatpak coming from SUSE:SLE-15-SP2:Update seems to imply that this is a SLE Bug, thus to be handled by the SLE Package Maintainers:
Comment 5 Swamp Workflow Management 2021-10-20 10:24:29 UTC
SUSE-SU-2021:3472-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1191507
CVE References: CVE-2021-41133
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    flatpak-1.10.5-4.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    flatpak-1.10.5-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-10-20 10:30:35 UTC
openSUSE-SU-2021:3472-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1191507
CVE References: CVE-2021-41133
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    flatpak-1.10.5-4.9.1
Comment 8 Swamp Workflow Management 2021-10-31 20:33:15 UTC
openSUSE-SU-2021:1400-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1191507
CVE References: CVE-2021-41133
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    flatpak-1.10.5-lp152.3.9.1
Comment 9 Dominique Leuenberger 2022-03-21 15:18:02 UTC
(In reply to Swamp Workflow Management from comment #6)
> openSUSE-SU-2021:3472-1: An update that fixes one vulnerability is now
> available.
> 
> Category: security (important)
> Bug References: 1191507
> CVE References: CVE-2021-41133
> JIRA References: 
> Sources used:
> openSUSE Leap 15.3 (src):    flatpak-1.10.5-4.9.1

(In reply to Swamp Workflow Management from comment #8)
> openSUSE-SU-2021:1400-1: An update that fixes one vulnerability is now
> available.
> 
> Category: security (important)
> Bug References: 1191507
> CVE References: CVE-2021-41133
> JIRA References: 
> Sources used:
> openSUSE Leap 15.2 (src):    flatpak-1.10.5-lp152.3.9.1

Patches have bee released - closing