Input validation error in firejail - CVE-2019-12499
Published: May 31, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35866
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-12499
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: firejail.wordpress.com
Affected software:
firejail
firejail
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.
How to mitigate CVE-2019-12499
Install update from vendor's website.
Sources
- https://github.com/netblue30/firejail/issues/2401
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CDY7B73YDRBURA25APSHD5PFEO4TNSFW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGVULJ6IKVDO6UAVIQRHQVSKOUD6QDWM/