Vulnerabilities > CVE-2019-8308 - Exposure of Resource to Wrong Sphere vulnerability in multiple products

047910
CVSS 8.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
flatpak
debian
redhat
CWE-668
nessus

Summary

Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.

Vulnerable Configurations

Part Description Count
Application
Flatpak
104
OS
Debian
2
OS
Redhat
6

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-A5F616808E.NASL
    descriptionUpdate to 1.0.7 Fixes related to CVE-2019-5736. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122523
    published2019-03-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122523
    titleFedora 28 : flatpak (2019-a5f616808e)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-a5f616808e.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122523);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/23 11:21:11");
    
      script_cve_id("CVE-2019-5736", "CVE-2019-8308");
      script_xref(name:"FEDORA", value:"2019-a5f616808e");
    
      script_name(english:"Fedora 28 : flatpak (2019-a5f616808e)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 1.0.7
    
    Fixes related to CVE-2019-5736.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a5f616808e"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected flatpak package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:flatpak");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"flatpak-1.0.7-1.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "flatpak");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190221_FLATPAK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - flatpak: potential /proc based sandbox escape (CVE-2019-8308)
    last seen2020-05-31
    modified2019-02-22
    plugin id122391
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122391
    titleScientific Linux Security Update : flatpak on SL7.x x86_64 (20190221)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2185-1.NASL
    descriptionThis update for flatpak fixes the following issues : Security issues fixed : CVE-2019-8308: Fixed a potential sandbox escape via /proc (bsc#1125431). CVE-2019-11460: Fixed a compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl (bsc#1133043). CVE-2019-11461: Fixed a compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl (bsc#1133041). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128048
    published2019-08-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128048
    titleSUSE SLED15 / SLES15 Security Update : flatpak (SUSE-SU-2019:2185-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-0375.NASL
    descriptionAn update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es) : * flatpak: potential /proc based sandbox escape (CVE-2019-8308) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id122353
    published2019-02-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122353
    titleCentOS 7 : flatpak (CESA-2019:0375)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1134.NASL
    descriptionAccording to the version of the flatpak packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.(CVE-2019-8308) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-04-02
    plugin id123608
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123608
    titleEulerOS 2.0 SP5 : flatpak (EulerOS-SA-2019-1134)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0375.NASL
    descriptionAn update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es) : * flatpak: potential /proc based sandbox escape (CVE-2019-8308) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id122337
    published2019-02-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122337
    titleRHEL 7 : flatpak (RHSA-2019:0375)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2038.NASL
    descriptionThis update for flatpak fixes the following issues : Security issues fixed : - CVE-2019-8308: Fixed a potential sandbox escape via /proc (bsc#1125431). - CVE-2019-11460: Fixed a compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl (bsc#1133043). - CVE-2019-11461: Fixed a compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl (bsc#1133041). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128454
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128454
    titleopenSUSE Security Update : flatpak (openSUSE-2019-2038)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0056_FLATPAK.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has flatpak packages installed that are affected by a vulnerability: - Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. (CVE-2019-8308) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127246
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127246
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : flatpak Vulnerability (NS-SA-2019-0056)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-0375.NASL
    descriptionFrom Red Hat Security Advisory 2019:0375 : An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es) : * flatpak: potential /proc based sandbox escape (CVE-2019-8308) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id122328
    published2019-02-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122328
    titleOracle Linux 7 : flatpak (ELSA-2019-0375)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1183.NASL
    descriptionEarlier versions of flatpak exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.(CVE-2019-8308)
    last seen2020-06-01
    modified2020-06-02
    plugin id123467
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123467
    titleAmazon Linux 2 : flatpak (ALAS-2019-1183)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2019-0375.NASL
    descriptionAn update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es) : * flatpak: potential /proc based sandbox escape (CVE-2019-8308) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122400
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122400
    titleVirtuozzo 7 : flatpak / flatpak-builder / flatpak-devel / etc (VZLSA-2019-0375)

Redhat

advisories
bugzilla
id1675070
titleCVE-2019-8308 flatpak: potential /proc based sandbox escape
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentflatpak-builder is earlier than 0:1.0.0-4.el7_6
          ovaloval:com.redhat.rhsa:tst:20190375001
        • commentflatpak-builder is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20182766004
      • AND
        • commentflatpak-devel is earlier than 0:1.0.2-4.el7_6
          ovaloval:com.redhat.rhsa:tst:20190375003
        • commentflatpak-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20182766002
      • AND
        • commentflatpak is earlier than 0:1.0.2-4.el7_6
          ovaloval:com.redhat.rhsa:tst:20190375005
        • commentflatpak is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20182766008
      • AND
        • commentflatpak-libs is earlier than 0:1.0.2-4.el7_6
          ovaloval:com.redhat.rhsa:tst:20190375007
        • commentflatpak-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20182766006
rhsa
idRHSA-2019:0375
released2019-02-19
severityImportant
titleRHSA-2019:0375: flatpak security update (Important)
rpms
  • flatpak-0:1.0.2-4.el7_6
  • flatpak-builder-0:1.0.0-4.el7_6
  • flatpak-debuginfo-0:1.0.2-4.el7_6
  • flatpak-devel-0:1.0.2-4.el7_6
  • flatpak-libs-0:1.0.2-4.el7_6