On a system for sandboxing applications Firejail identified vulnerability (CVE-2021-26910), which allows you to elevate your privileges to the root user. Firejail uses namespaces (namespaces), AppArmor and system call filtering (seccomp-bpf) for isolation on Linux, but requires elevated privileges to set up isolated startup, which it gets by bind to the utility with the suid root flag or run with sudo.
The vulnerability is caused by a flaw in the code to support the OverlayFS file system, which is used to create an additional layer on top of the main file system to save changes made by an isolated process. It is assumed that an isolated process gets read access to the main file system, and all write operations are redirected to temporary storage and do not affect the real main file system. By default, OverlayFS partitions are mounted in the user’s home directory, for example, inside “/home/test/.firejail/ [[name]”, while the owner of these directories is set to root so that the current user cannot directly change their contents.
When setting up a sandboxed environment, Firejail checks that the root of the temporary OverlayFS partition is not writable by an unprivileged user. Vulnerability caused by a race condition related to the operation are not performed atomically and there is a short moment between checking and mounting, allowing you to replace the .firejail directory owned by root with a directory where the current user has write access (since .firejail is created in the user’s directory, the user can rename it). Having write access to the .firejail directory allows you to override the OverlayFS mount points with a symlink and change any files on the system.
Researcher prepared working prototype of the exploit , which will be posted one week after the patch is posted. The problem manifests itself since version 0.9.30. In 0.9.64.4 the vulnerability is blocked via disable overlayFS support. To block the vulnerability, you can also turn off OverlayFS by adding the “overlayfs” parameter with the value “no” to /etc/firejail/firejail.config.
Second Severe Vulnerability ( CVE-2021-26675 ) identified in the network configurator ConnMan