5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
50.2%
The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a vulnerability as referenced in the USN-4951-1 advisory.
@@
and/or @@u
in the Exec field of a Flatpak app’s .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit Disallow @@ and @@U usage in desktop files
. The follow-up commits dir: Reserve the whole @@ prefix
and dir: Refuse to export .desktop files with suspicious uses of @@ tokens
are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported .desktop
files in exports/share/applications/*.desktop
(typically ~/.local/share/flatpak/exports/share/applications/*.desktop
and /var/lib/flatpak/exports/share/applications/*.desktop
) to make sure that literal filenames do not follow @@
or @@u
. (CVE-2021-21381)Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4951-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(149404);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");
script_cve_id("CVE-2021-21381");
script_xref(name:"USN", value:"4951-1");
script_name(english:"Ubuntu 18.04 LTS / 20.04 LTS : Flatpak vulnerability (USN-4951-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a vulnerability as
referenced in the USN-4951-1 advisory.
- Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In
Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the file forwarding
feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by
the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak
app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had
chosen to open a target file with their Flatpak app, which automatically makes that file available to the
Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit `Disallow @@ and @@U
usage in desktop files`. The follow-up commits `dir: Reserve the whole @@ prefix` and `dir: Refuse to
export .desktop files with suspicious uses of @@ tokens` are recommended, but not strictly required. As a
workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported
`.desktop` files in `exports/share/applications/*.desktop` (typically
`~/.local/share/flatpak/exports/share/applications/*.desktop` and
`/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow
`@@` or `@@u`. (CVE-2021-21381)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4951-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-21381");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/10");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/05/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:flatpak");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:flatpak-tests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gir1.2-flatpak-1.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libflatpak-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libflatpak0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '18.04', 'pkgname': 'flatpak', 'pkgver': '1.0.9-0ubuntu0.3'},
{'osver': '18.04', 'pkgname': 'flatpak-tests', 'pkgver': '1.0.9-0ubuntu0.3'},
{'osver': '18.04', 'pkgname': 'gir1.2-flatpak-1.0', 'pkgver': '1.0.9-0ubuntu0.3'},
{'osver': '18.04', 'pkgname': 'libflatpak-dev', 'pkgver': '1.0.9-0ubuntu0.3'},
{'osver': '18.04', 'pkgname': 'libflatpak0', 'pkgver': '1.0.9-0ubuntu0.3'},
{'osver': '20.04', 'pkgname': 'flatpak', 'pkgver': '1.6.5-0ubuntu0.3'},
{'osver': '20.04', 'pkgname': 'flatpak-tests', 'pkgver': '1.6.5-0ubuntu0.3'},
{'osver': '20.04', 'pkgname': 'gir1.2-flatpak-1.0', 'pkgver': '1.6.5-0ubuntu0.3'},
{'osver': '20.04', 'pkgname': 'libflatpak-dev', 'pkgver': '1.6.5-0ubuntu0.3'},
{'osver': '20.04', 'pkgname': 'libflatpak0', 'pkgver': '1.6.5-0ubuntu0.3'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'flatpak / flatpak-tests / gir1.2-flatpak-1.0 / libflatpak-dev / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:lts |
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | flatpak | p-cpe:/a:canonical:ubuntu_linux:flatpak |
canonical | ubuntu_linux | flatpak-tests | p-cpe:/a:canonical:ubuntu_linux:flatpak-tests |
canonical | ubuntu_linux | gir1.2-flatpak-1.0 | p-cpe:/a:canonical:ubuntu_linux:gir1.2-flatpak-1.0 |
canonical | ubuntu_linux | libflatpak-dev | p-cpe:/a:canonical:ubuntu_linux:libflatpak-dev |
canonical | ubuntu_linux | libflatpak0 | p-cpe:/a:canonical:ubuntu_linux:libflatpak0 |
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
50.2%