Critical Vulnerability Found in Flatpak: CVE-2024-42472 (CVSS 10) Exposes Files Outside Sandbox
A serious security flaw has been discovered in Flatpak, a popular system for distributing and running sandboxed desktop applications on Linux. The vulnerability, tracked as CVE-2024-42472 (CVSS 10), allows malicious or compromised apps to bypass the sandbox and gain unauthorized access to files outside their designated area.
Impact and Severity
Chris Williams, a security researcher, discovered a flaw in how Flatpak handles persistent directories—directories intended to store data that persists across application sessions. When an application is configured to use the persistent (--persist) option, it is supposed to have access only to a designated subdirectory within its sandbox. However, the vulnerability arises when a symlink replaces the source directory for the persistent option.
In this scenario, the next time the application is started, the bind mount follows the symlink, potentially granting the application access to any file or directory the symlink points to. This effectively bypasses the sandbox’s restrictions, allowing the application to read and write files in locations it should not have access to.
The vulnerability impacts Flatpak versions up to and including 1.14.8 and 1.15.9.
Impact
CVE-2024-42472 poses a significant risk, particularly in scenarios where a compromised or malicious Flatpak application exploits this flaw to access sensitive files, such as SSH keys or configuration files stored outside the sandbox. This could lead to unauthorized data access, data corruption, or even remote code execution if the compromised files are critical to system operations.
Mitigation and Recommendations
Users are strongly advised to update Flatpak to the latest patched versions (1.14.10 or later, or any version 1.15.10 or later) as soon as possible. Additionally, it is recommended to review the list of installed apps using the persistent permission and exercise caution when granting this permission to new apps, especially from untrusted sources.
Users who have manually replaced a Flatpak application’s persistent directory with a symlink may encounter compatibility issues after updating. The persistent directory will be ignored for security reasons, and the application may fail to save its state. Flatpak will issue a warning when such an app is run, indicating that the symlink is not allowed.
To avoid these issues, users who need to move persistent directories to another filesystem due to space constraints are advised to use bind mounts instead of symlinks.
