Dangerous vulnerabilities were identified in Firejail, Connman and GNU Guix

A few days ago they made themselves known the news of the detection of some vulnerabilities do you consider dangerous in Firejail, Connman and GNU Guix. And is that in the case of the vulnerability identified in the system for running sandboxed applications firejail  (CVE-2021-26910) this allows to elevate the privileges to the root user.

firejail use namespaces, AppArmor and system call filtering (seccomp-bpf) for isolation on Linux, but requires elevated privileges to configure isolated boot, which can be obtained by binding to the utility with the suid root flag or by running with sudo.

The vulnerability is caused by a flaw in the code to support the OverlayFS file system, which is used to create an additional layer on top of the main file system to save changes made by an isolated process. An isolated process is assumed to gain read access to the primary file system, and all write operations are redirected to temporary storage and do not affect the actual primary file system.

By default, OverlayFS partitions are mounted in the user's home directoryfor example inside "/home/test/.firejail/ [[name]", while the owner of these directories is set to root so that the current user cannot directly change their content.

When setting up a sandbox environment, Firejail checks that the root of the OverlayFS temporary partition is not modifiable by an unprivileged user. The vulnerability is caused by a race condition due to the fact that operations are not performed atomically and there is a short moment between check and mount, which allows us to replace the root .firejail directory with a directory where the current user has write access (since .firejail was created in the user's directory, the user can rename it).

Having write access to the .firejail directory allows you to override mount points OverlayFS with a symbolic link and change any file on the system. The researcher has prepared a working prototype of the exploit, which will be published one week after the release of the fix. The problem appears since version 0.9.30. In version 0.9.64.4, the vulnerability was blocked by disabling OverlayFS support.

To block the vulnerability in an alternative way, you can also disable OverlayFS by adding the parameter "overlayfs" with the value "no" to /etc/firejail/firejail.config.

The second vulnerability Dangerous that was identified (CVE-2021-26675) was in the network configurator ConnMan, which has become widespread in embedded Linux systems and IoT devices. The vulnerability potentially allows remote execution of the attacker's code.

The problem it is due to a buffer overflow in the dnsproxy code And it can be exploited by returning specially crafted responses from the DNS server to which the DNS proxy is configured to redirect traffic. Tesla, who uses ConnMan, has reported the problem. The vulnerability was fixed in yesterday's release of ConnMan 1.39.

Finally, other security vulnerabilities that he released, it was in the distribution GNU Guix and is related to the peculiarity of placing suid-root files in the / run / setuid-programs directory.

Most of the programs in this directory were shipped with the setuid-root and setgid-root flags, but they were not designed to work with setgid-root, which could potentially be used to elevate privileges on the system.

However, most of these programs are designed to run as setuid-root, but not as setgid-root. Therefore, this configuration posed a risk of local privilege escalation (Guix users in a "foreign distribution" are not affected).

This bug has been fixed and users are encouraged to update their system….

No exploitation of this problem is known to date

Finally if you are interested in knowing more about it About the notes of the reported vulnerabilities, you can check the details in this regard in the following links.

firejail, Connman y GNU Guix


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.