CVE-2023-28100 & CVE-2023-28101: Two Security Vulnerabilities in Flatpak

CVE-2023-28100

Flatpak is a popular system for building, distributing, and running sandboxed desktop applications on Linux. Recently, two significant security vulnerabilities have been discovered, putting users at risk.

CVE-2023-28100

CVE-2023-28100 – Flatpak Command Execution Vulnerability

In a critical security flaw with a CVSS score of 10 (calculated by Github), Flatpak has been found to allow remote attackers to execute arbitrary commands on the system. This vulnerability is caused by a sandboxing issue in the TIOCLINUX component. This is similar to CVE-2017-5226 but uses the TIOCLINUX ioctl command instead of TIOCSTI.

Impact:

The vulnerability primarily affects Linux virtual consoles like /dev/tty1, which are not commonly used to run Flatpak apps. In this scenario, an attacker can copy text from the virtual console and paste it into the command buffer, which could then be executed after the Flatpak app has exited.

It is important to note that typical graphical terminal emulators, such as xterm, gnome-terminal, and Konsole, are unaffected by this vulnerability. Furthermore, Flatpak is designed to be run from a Wayland or X11 graphical environment, making this issue relatively unlikely to cause widespread problems.

Mitigation:

Users are advised to update their Flatpak installations to versions 1.10.8, 1.12.8, 1.14.4, or 1.15.4, which contain a patch for the CVE-2023-28100 vulnerability. As a workaround, users should avoid running Flatpak on Linux virtual consoles and stick to the intended Wayland or X11 graphical environments.

CVE-2023-28101 – Flatpak Security Bypass Vulnerability

A security bypass vulnerability with a CVSS score of 5.0 (calculated by Github) has been discovered in Flatpak. This flaw allows remote authenticated attackers to bypass security restrictions due to an issue with reading metadata containing ANSI control codes.

Impact:

An attacker can exploit this vulnerability by crafting a Flatpak app with elevated permissions and hiding those permissions from users of the flatpak(1) command-line interface. They can achieve this by setting other permissions to contain non-printable control characters, such as ESC.

Workarounds:

Users are advised to update their Flatpak installations to versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4, which contain a patch for the vulnerability. To protect against this vulnerability, users are advised to use a graphical user interface (GUI) like GNOME Software instead of the command-line interface. Alternatively, users can choose to only install apps from trusted maintainers.