CVE-2020-17367 – CVE-2020-17367 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-17367?

CVE-2020-17367 has a CVSS score of 7.8 (HIGH). CVE-2020-17367 is a command injection vulnerability in Firejail, a Linux sandboxing tool, where the -- end-of-options indicator is not properly honored after the --output option. This allows attackers to inject arbitrary commands when Firejail is invoked with untrusted input, potentially leading to privilege escalation or unauthorized access. Users of Firejail versions up to 0.9.62 are affected.

📋 TL;DR

CVE-2020-17367 is a command injection vulnerability in Firejail, a Linux sandboxing tool, where the -- end-of-options indicator is not properly honored after the --output option. This allows attackers to inject arbitrary commands when Firejail is invoked with untrusted input, potentially leading to privilege escalation or unauthorized access. Users of Firejail versions up to 0.9.62 are affected.

💻 Affected Systems

Products:

Firejail

Versions: Through 0.9.62

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in default configurations when Firejail is used with the --output option and untrusted command-line arguments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary commands with the privileges of the Firejail process, potentially leading to full system compromise, data theft, or lateral movement within a network.

🟠

Likely Case

In real-world scenarios, this could be exploited to escape the sandbox, gain elevated privileges, or execute malicious payloads on systems where Firejail is used with untrusted inputs, such as in shared hosting or containerized environments.

🟢

If Mitigated

If proper input validation and least privilege principles are applied, the impact is reduced to limited command execution within the sandbox, but still poses a risk of sandbox escape.

🌐 Internet-Facing: MEDIUM, as Firejail is typically used locally or in internal systems, but could be exposed if integrated into web services or remote management tools.

🏢 Internal Only: HIGH, because Firejail is commonly deployed on Linux servers and workstations for security isolation, making internal exploitation more probable in environments with untrusted user inputs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control command-line arguments passed to Firejail, often in scenarios with user-provided inputs or scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.63 and later

Vendor Advisory: https://github.com/netblue30/firejail

Restart Required: No

Instructions:

1. Update Firejail to version 0.9.63 or higher using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade firejail. 3. For Fedora: sudo dnf update firejail. 4. Verify the update with firejail --version.

🔧 Temporary Workarounds

Avoid using --output with untrusted inputs

linux

Do not pass user-controlled arguments after the --output option in Firejail commands to prevent command injection.

🧯 If You Can't Patch

Restrict Firejail usage to trusted users and inputs only.
Implement strict input validation and sanitization for any scripts or applications invoking Firejail.

🔍 How to Verify

Check if Vulnerable:

Run firejail --version and check if the version is 0.9.62 or earlier. If so, the system is vulnerable.

Check Version:

firejail --version

Verify Fix Applied:

After updating, run firejail --version to confirm the version is 0.9.63 or later.

📡 Detection & Monitoring

Log Indicators:

Look for unusual command executions or errors in system logs related to Firejail processes, especially with --output arguments.

Network Indicators:

No specific network indicators; this is a local command injection vulnerability.

SIEM Query:

Example: Process execution logs where firejail is invoked with suspicious arguments after --output.

📊 Metadata

CVE ID: CVE-2020-17367

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-88

Published: August 11, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html Mailing List,Third Party Advisory
https://github.com/netblue30/firejail Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/
https://security.gentoo.org/glsa/202101-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4742 Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html Mailing List,Third Party Advisory
https://github.com/netblue30/firejail Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/
https://security.gentoo.org/glsa/202101-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4742 Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17367, you might also want to check these: