In the utility for isolated execution of applications firejail Identified vulnerability ( cve-2022-31214 ), which allows a local user to obtain Root rights in the main system. Openly available is the worker exploit , proven in the actual Opensuse releases, Debian , Arch, Gentoo and Fedora with the Firejail utility set. The problem is fixed in the issue of firejail 0.9.70 . As a workaround, you can set in the settings (/etc/firejail/firejail.config) the parameters “Join no” and “Force-nonewprivs Yes”.
FIREJAIL uses for isolation the mechanism of names, Apparmor, and system calls (secComp-bpf) in Linux, but to configure isolated launch requires increased privileges that it receives through linking to the SUID ROOT flag or starting using SUDO . The vulnerability is caused by the error in the logic of the option “–join =”, designed to connect to an already working isolated environment (analogue of the Login command but for Sandbox-detachment) with the determination of the environment by working in it
The identifier of the process. At the stage, Firejail defines the privileges of this process and applies them to the new process connected to the environment using the option –join.
Before connecting, a check is carried out whether the specified process is launched surrounded by Firejail. This check is performed by the presence of the file/run/firejail/mnt/join. For the operation of vulnerability, the attacker can simulate a fictitious non -isolated environment of Firejail using the Mount Namespace point, and then connect to it using the Join option. If the settings do not activate the prohibition of additional privileges in new processes (prctl no_new_privs), Firejail will connect the user to a fictitious environment and try to apply the settings of the user identifiers (user name 1).
As a result, the connected environment is in the initial space of the names of user identifiers with invariable privileges for the user, but the mounting point of the mounting points is completely controlled by the attackers. Including the attacker can perform the SETUID-ROOT programs in the mounting space created by him, which allows, for example, to use other settings /etc /suoers or change the PAM parameters in their file hierarchy and get the ability to perform ROOT rights using SUDO utilities or SU.