CVE-2021-41133: Sandbox bypass via recent VFS-manipulating syscalls
First published: Fri Oct 08 2021(Updated: )
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/flatpak | <=1.10.3-0+deb11u1<=1.11.3-2<=1.2.5-0+deb10u4 | 1.12.0-1 1.10.5-0+deb11u1 |
| debian/0.5.0-1 | ||
| <1.8.2 | ||
| >=1.10.0<1.10.4 | ||
| >=1.11.1<1.12.1 | ||
| =11.0 | ||
| =33 | ||
| =34 | ||
| Flatpak Flatpak | <1.8.2 | |
| Flatpak Flatpak | >=1.10.0<1.10.4 | |
| Flatpak Flatpak | >=1.11.1<1.12.1 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| debian/flatpak | <=1.2.5-0+deb10u4 | 1.10.8-0+deb11u1 1.10.7-0+deb11u1 1.14.4-1 1.14.5-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
- https://github.com/flatpak/flatpak/pull/4462
- https://security-tracker.debian.org/tracker/CVE-2021-41133
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995935
- https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
- https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34ca
- https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aaf
- https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36
- https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48
- https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
- https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
- https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/
- https://www.debian.org/security/2021/dsa-4984
- http://www.openwall.com/lists/oss-security/2021/10/26/9
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/
- https://security.gentoo.org/glsa/202312-12
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/
- https://github.com/flatpak/flatpak/commit/d419fa67038370e4f4c3ce8c3b5f672d4876cfc8
- https://github.com/flatpak/flatpak/commit/3fc8c672676ae016f8e7cc90481b2feecbad9861
Frequently Asked Questions
What is the vulnerability ID for this Flatpak vulnerability?
The vulnerability ID for this Flatpak vulnerability is CVE-2021-41133.
What is Flatpak?
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
What is the severity of CVE-2021-41133?
The severity of CVE-2021-41133 is high with a CVSS score of 7.8.
What is the affected software for CVE-2021-41133?
The affected software for CVE-2021-41133 includes Flatpak versions prior to 1.10.4 and 1.12.0, as well as Debian Debian Linux 11.0 and Fedoraproject Fedora 33 and 34.
How can CVE-2021-41133 be exploited?
CVE-2021-41133 can be exploited by Flatpak apps with direct access to AF_UNIX sockets tricking portals and other host-OS services.
How do I fix CVE-2021-41133?
To fix CVE-2021-41133, it is recommended to update Flatpak to version 1.10.4 or 1.12.0, or apply the appropriate updates provided by Debian or Fedoraproject.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2021-41133
- collector/mitre-cve
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/security-tracker-debian
- package-manager/debian
- vendor/flatpak
- canonical/flatpak flatpak
- version/flatpak flatpak/1.10.0
- version/flatpak flatpak/1.11.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34