CVE-2020-17368 – CVE-2020-17368 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-17368?

CVE-2020-17368 has a CVSS score of 9.8 (CRITICAL). CVE-2020-17368 is a command injection vulnerability in Firejail up to version 0.9.62 that allows attackers to execute arbitrary commands on the host system. The vulnerability occurs when shell metacharacters are passed to the --output or --output-stderr options. Any system running vulnerable Firejail versions with these options is affected.

📋 TL;DR

CVE-2020-17368 is a command injection vulnerability in Firejail up to version 0.9.62 that allows attackers to execute arbitrary commands on the host system. The vulnerability occurs when shell metacharacters are passed to the --output or --output-stderr options. Any system running vulnerable Firejail versions with these options is affected.

💻 Affected Systems

Products:

Firejail

Versions: All versions through 0.9.62

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using --output or --output-stderr options with untrusted input containing shell metacharacters.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the host system, data theft, and lateral movement.

🟠

Likely Case

Privilege escalation from a lower-privileged user to root, enabling unauthorized access to sensitive data and system resources.

🟢

If Mitigated

Limited impact if proper sandboxing and least privilege principles are followed, potentially containing the exploit within the sandbox.

🌐 Internet-Facing: MEDIUM - Firejail is typically used for local process sandboxing, but could be exposed through web applications or services using it.

🏢 Internal Only: HIGH - Most Firejail deployments are internal, and authenticated users could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to execute Firejail with the vulnerable options and ability to control input containing shell metacharacters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.63 and later

Vendor Advisory: https://github.com/netblue30/firejail/security/advisories

Restart Required: No

Instructions:

1. Update Firejail to version 0.9.63 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade firejail. 3. For Fedora: sudo dnf update firejail. 4. For source installations: git pull from repository and rebuild.

🔧 Temporary Workarounds

Avoid vulnerable options

linux

Do not use --output or --output-stderr options with untrusted input

Input sanitization

linux

Sanitize all input passed to Firejail commands to remove shell metacharacters

🧯 If You Can't Patch

Remove Firejail from systems where it's not essential
Implement strict access controls to limit who can execute Firejail with vulnerable options

🔍 How to Verify

Check if Vulnerable:

Check Firejail version: firejail --version. If version is 0.9.62 or earlier, system is vulnerable.

Check Version:

firejail --version

Verify Fix Applied:

After update, verify version is 0.9.63 or later: firejail --version

📡 Detection & Monitoring

Log Indicators:

Unusual Firejail process executions with --output or --output-stderr options
Shell commands executed from Firejail processes

Network Indicators:

Outbound connections from Firejail processes to unexpected destinations

SIEM Query:

process_name:"firejail" AND (command_line:"--output" OR command_line:"--output-stderr")

📊 Metadata

CVE ID: CVE-2020-17368

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 11, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html Mailing List,Third Party Advisory
https://github.com/netblue30/firejail/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/
https://security.gentoo.org/glsa/202101-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4742 Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html Mailing List,Third Party Advisory
https://github.com/netblue30/firejail/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/
https://security.gentoo.org/glsa/202101-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4742 Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17368, you might also want to check these: