Amazon Linux 2022 : (ALAS2022-2022-179)

high Nessus Plugin ID 167016

Synopsis

The remote Amazon Linux 2022 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-179 advisory.

- Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user.
Flatpak shows permissions to the user during install by reading them from the xa.metadata key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the metadata file to ensure it wasn't lied to.
However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.
(CVE-2021-43860)

- Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`. (CVE-2022-21682)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update flatpak --releasever=2022.0.20221102' to update your system.

See Also

https://alas.aws.amazon.com/cve/html/CVE-2021-43860.html

https://alas.aws.amazon.com/cve/html/CVE-2022-21682.html

https://alas.aws.amazon.com/AL2022/ALAS-2022-179.html

Plugin Details

Severity: High

ID: 167016

File Name: al2022_ALAS2022-2022-179.nasl

Version: 1.2

Type: local

Agent: unix

Published: 11/5/2022

Updated: 11/5/2022

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2021-43860

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:2.3:a:amazon:linux:flatpak:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-libs:*:*:*:*:*:*:*, cpe:2.3:o:amazon:linux:2022:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-debugsource:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-libs-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-selinux:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-session-helper:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-session-helper-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-tests:*:*:*:*:*:*:*, p-cpe:2.3:a:amazon:linux:flatpak-tests-debuginfo:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/1/2022

Vulnerability Publication Date: 1/12/2022

Reference Information

CVE: CVE-2021-43860, CVE-2022-21682