An attacker can also use this issue to bypass the cap_net_bind_service kernel cap and gain access to otherwise restricted services.

To exploit this issue, an attacker must be able to convince a user to open an untrusted Firejail container as their join target in a jail.

The following are some examples of how this issue can be exploited. - A user downloads an untrusted Firejail container, such as a malicious PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker sends a malicious email with a maliciously crafted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker hosts a malicious website that contains a maliciously crafted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - A user downloads an untrusted Firejail container, such as a malicious PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker sends a malicious email with a maliciously crafted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker hosts a malicious website that contains a maliciously crafted PDF file

Vulnerability overview

The vulnerability is due to a design flaw in the way that Firejail handles untrusted containers. Instead of explicitly checking for untrusted containers, the application assumes that all untrusted containers are trusted, which can result in an attacker being able to gain root access on a system by attaching an untrusted container.
To exploit this issue, an attacker must be able to convince a user to open an untrusted Firejail container as their join target in a jail. The following are some examples of how this issue can be exploited.
- A user downloads an untrusted Firejail container, such as a malicious PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker sends a malicious email with a maliciously crafted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker hosts a malicious website that contains a maliciously crafted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program.

Vulnerable Packages

- linux: 4.14.0-18 - linux-aws: 4.14.0-62 - linux-azure: 4.14.0-34 - linux-gcp: 4.14.0-25 - linux-kvm: 4.14.0-65

CVE ID ids for all the vulnerable packages are listed below in the following directories
/etc/cron.d /etc/initrc /usr/bin

Set up Firejail

To protect against CVE-2022-31214, you'll need to set up Firejail. First, create a file that contains the following text:

#!/usr/bin/env bash export CAP_NET_BIND_SERVICE=yes export CAP_NET_BIND_SERVICE_ROOT=yes export CAP_SETUID=yes for a in "$@" do if [[ $a == "bash" ]] then echo "Running as root" su -c "$a" else echo 'Not running as root' fi done

Firejail

Firejail is a security sandbox program that uses Linux kernel namespaces. Firejail provides a means of running untrusted applications in a secure environment with minimal privilege escalation, resource restriction, and process isolation capabilities. This can be useful for applications that require some level of restricted access or are not supported by the Linux operating system.
The following are some examples of how this issue can be exploited. - A user downloads an untrusted Firejail container, such as a malicious PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - An attacker sends an email with an attachment containing an untrusted PDF file that contains a maliciously crafted Firejail container that can be accepted as a join target by the setuid-root program. - A user downloads an untrusted Firejail container, such as a malicious PDF file that contains a maliciously crafted Firejail container

Timeline

Published on: 06/09/2022 16:15:00 UTC
Last modified on: 06/29/2022 22:15:00 UTC

References