CVE-2021-43860 in Flatpak
Summary
by MITRE • 01/13/2022
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "xa.metadata" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/15/2022
The vulnerability identified as CVE-2021-43860 represents a critical permission bypass flaw within the Flatpak application sandboxing framework that affects versions prior to 1.12.3 and 1.10.6. Flatpak serves as a Linux distribution and sandboxing framework that enables applications to run in isolated environments while providing users with clear visibility into the permissions they grant to applications during installation. The core issue stems from improper validation mechanisms that occur when Flatpak processes application metadata files containing null bytes. This flaw specifically exploits the difference in how Flatpak handles metadata validation between the user-facing permission display and the actual runtime permission assignment, creating a scenario where applications can silently escalate their privileges without user consent.
The technical implementation of this vulnerability occurs at the string parsing level where Flatpak reads metadata files as C-style strings without proper null byte handling. The system displays permissions to users through the "xa.metadata" key in commit metadata, which is designed to prevent null terminators due to its nature as untrusted GVariant data. However, the actual permission validation process reads from the "metadata" file using standard C string functions that terminate at the first null byte encountered. This discrepancy means that if a malicious application's metadata file contains a null byte, only the portion of the file preceding this null byte gets compared against the displayed permissions, while any additional permissions appearing after the null byte are silently granted at runtime. This creates a fundamental mismatch between user expectations and actual application behavior, undermining the security model that relies on explicit user consent for permission granting.
The operational impact of this vulnerability extends beyond simple privilege escalation to represent a significant threat to user security and system integrity. Users who install applications from untrusted sources face particular risk since malicious actors can craft metadata files that appear benign during installation but contain hidden permissions that activate at runtime. This vulnerability effectively bypasses the permission consent mechanism that Flatpak implements to protect users from potentially harmful applications. The attack vector is particularly dangerous because it operates silently in the background, with users remaining unaware that their applications have acquired additional capabilities they never explicitly authorized. This flaw undermines the fundamental security principle of least privilege that Flatpak aims to enforce, potentially allowing malicious applications to access sensitive system resources, user data, or network capabilities that should have been restricted.
The vulnerability demonstrates characteristics consistent with CWE-129 Input Validation and CWE-707 Improper Neutralization of Input During Web Page Generation, highlighting the importance of proper input sanitization and validation in security-critical applications. From an ATT&CK perspective, this issue maps to T1068, privilege escalation through the exploitation of software vulnerabilities, and potentially T1548.002, abuse of system permissions, as it enables applications to gain capabilities beyond what users initially consented to. The mitigation strategy involves updating to patched versions 1.12.3 or 1.10.6, which implement proper null byte handling in metadata processing. Users can also manually verify application permissions by examining metadata files directly, though this requires technical expertise and is not a scalable solution. System administrators should implement strict application source verification practices and consider automated tools to monitor for suspicious permission changes in installed Flatpak applications, as the vulnerability creates a persistent risk for systems that regularly install applications from untrusted repositories or sources.