If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Several days ago the news broke that A vulnerability was detected in Flatpak (the system for building, distributing and running isolated desktop application environments on Linux). Cataloged under CVE-2024-32462, along with the CWE-88 classification, the vulnerability discovered allowed escaping the sandbox via RequestBackground.
This vulnerability affects certain specific versions of Flatpak, and its impact can be serious, since a specially designed application could execute arbitrary code outside the sandbox, compromising user information.
About vulnerability CVE-2024-32462
It is mentioned that vulnerability allows a malicious or compromised application distributed using a flatpak package format bypass isolation mode from the testing area and access the main system files. This problem occurs only in packages that use Freedesktop portals (xdg-desktop-portal), used to facilitate access to resources in the user's environment from isolated applications.
It is possible to pass an arbitrary commandline interface to the org.freedesktop.portal.Background.RequestBackground portal interface from a Flatpak application. Normally this is safe, because you can only specify a command that exists within the sandbox environment; but when a crafted commandline object is converted to –commandarguments and, the application could achieve the same effect of passing arguments directly to bwrapy, thus achieving a sandbox escape.
The solution is for Flatpak to use the –to bwrap argument, which causes it to stop processing options, before adding the command specified by the attacker. The –argument has been supported since bubblewrap 0.3.0, and all supported versions of Flatpak already require at least that version of bubblewrap.
Exploitation of this vulnerability allows an application in a sandbox to use the xdg-desktop-portal interface to create a file «.desktop with» with a command that starts the application from flatpak, thus allowing access to files on the main system.
The essence of the vulnerability that allows you to evade the sandbox lies the argument –command de flatpack run, which expected to receive a command to run in the specified Flatpak application, along with some optional arguments. By manipulating the parameter «–command«, which is used to pass the name of the program, it was possible to pass an option name, eg –bind, and this was misinterpreted as a bwrap option to run the specified program within the package, in an isolated environment.
A practical example of this mentioned, is to run the ls utility in an isolated package environment, you use something similar to this:
"flatpak run --command=ls org.gnome.gedit"
Which will execute:
"bwrap ...lots of stuff... --bind / /host ls -l /host".
In this case, the name “–bind” will not be considered the name of the application to run, but rather a bwrap option.
As such, the vulnerability lies in the fact that if the program name begins with the characters «–«, the bwrap utility will interpret it as its own option. Originally, sending commands this way was not considered dangerous, since they would run in an isolated environment from the package. However, it was not taken into account that commands starting with "–" will be interpreted as options by the bwrap utility. As a result, the xdg-desktop-portal interface can be exploited to create a ".desktop" file with a command that exploits this vulnerability.
The argument — has been supported since bubblewrap 0.3.0, and all supported versions of Flatpak already require at least that version of bubblewrap. It is mentioned that one of the solutions is that version 1.18.4 of xdg-desktop-portal no longer allow Flatpak applications to create new files .desktop for commands that start with -.
Finally, it is worth mentioning that the vulnerability has been corrected in the patched versions of Flatpak 1.15.8, 1.14.6, 1.12.9 and 1.10.9. Additionally, a security fix has been proposed in xdg-desktop-portal versions 1.16.1 and 1.18.4.
You can check the version of Flatpak you have by running the following command:
flatpak --version
In case you are on a vulnerable version or if you want to update your version of Flatpak, just execute one of the following commands:
Ubuntu/Debian and derivatives:
sudo apt upgrade flatpak
RHEL/Fedora and derivatives:
sudo dnf upgrade flatpak
Arch Linux and derivatives:
sudo pacman -Syu flatpak
If you are interested in knowing more about it, you can check the details In the following link.