Bug 1695973 (CVE-2019-10063)
| Summary: | CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | amigadave, dking |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | flatpak 1.3.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An incomplete fix for CVE-2017-5226 was found in flatpak. A sandbox bypass flaw was found in the way bubblewrap, which is used for sandboxing flatpak applications handled the TIOCSTI ioctl. A malicious flatpak application could use this flaw to inject commands into the controlled terminal of the host after the flatpak applications exits. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:53:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1695974, 1700651, 1700652, 1700653, 1700654 | ||
| Bug Blocks: | 1695975 | ||
|
Description
Pedro Sampaio
2019-04-04 00:45:27 UTC
Created flatpack tracking bugs for this issue: Affects: fedora-all [bug 1695974] Analysis: Flatpak uses bubblewrap for sandboxing applications. CVE-2017-5226 was found in bubblewrap which would allow sandboxed application to issue TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5226). This issue was however fixed in flatpak by using seccomp filter to prevent sandboxed apps from using the TIOCSTI ioclt via the following commit: https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4 However it was found that this commit/security fix was not enough to fix the issue. On 64-bit systems, the seccomp filter could be bypassed by a malicious application by setting using an IOCTL request number that has TIOCSTI as its least significant 32-bits and using an arbitrary non-zero value in its most significant 32-bit. The kernel would treat this as equivalent to TIOCSTI. Sandboxed applications inside flatpaks could use this to bypass the sandbox and execute commands on the host terminals, therefore bypassing the sandbox. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1024 https://access.redhat.com/errata/RHSA-2019:1024 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1143 https://access.redhat.com/errata/RHSA-2019:1143 Statement: This flaw can be exploited by malicious flatpak applications which include the code to exploit the wrong handling of the TIOCSTI ioctl (AV:L). No special action is needed to be performed by the attacker just having the exploit code should be enough for bypassing the sandbox restrictions (AC:L), Also the applications needs to be downloaded and run by the victim (PR:L). The flaw results in code being executed on the host system which is running the sandboxed application therefore this affects the host beyond the sandboxed application (S:C). Lastly considering the worst scenario in which the flatpak is run as root on the host system, this flaw can result in the malicious application running code as root on the host system (CIA:H). |