CVE-2020-5291 – This vulnerability in Bubblewrap (bwrap) allows... (How to Fix)

Q: What is the severity of CVE-2020-5291?

CVE-2020-5291 has a CVSS score of 7.2 (HIGH). This vulnerability in Bubblewrap (bwrap) allows local attackers to gain root privileges when the software is installed in setuid mode and the kernel supports unprivileged user namespaces. By using the --userns2 option, attackers can trace the setuid process running as root and escalate privileges. This primarily affects specific Linux distributions with non-default configurations.

📋 TL;DR

This vulnerability in Bubblewrap (bwrap) allows local attackers to gain root privileges when the software is installed in setuid mode and the kernel supports unprivileged user namespaces. By using the --userns2 option, attackers can trace the setuid process running as root and escalate privileges. This primarily affects specific Linux distributions with non-default configurations.

💻 Affected Systems

Products:

Bubblewrap (bwrap)

Versions: All versions before 0.4.1

Operating Systems: Linux distributions with specific configurations

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when: 1) Bubblewrap installed in setuid mode, AND 2) Kernel supports unprivileged user namespaces, AND 3) Unprivileged user namespaces are enabled (non-default on listed distributions).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence, and lateral movement.

🟠

Likely Case

Local user with shell access escalates to root privileges, gaining full control over the affected system.

🟢

If Mitigated

No privilege escalation possible; attacker remains confined to their original user permissions.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring shell access to the system.

🏢 Internal Only: HIGH - Any user with shell access on affected systems can potentially gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local shell access. The vulnerability is well-documented with technical details available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.1

Vendor Advisory: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

Restart Required: No

Instructions:

1. Update bubblewrap to version 0.4.1 or later using your distribution's package manager. 2. For Debian testing/unstable: apt update && apt upgrade bubblewrap. 3. For Arch: pacman -Syu bubblewrap. 4. For CentOS 7 COPR: yum update bubblewrap.

🔧 Temporary Workarounds

Disable unprivileged user namespaces

linux

Prevents the vulnerability by disabling the kernel feature required for exploitation

echo 'kernel.unprivileged_userns_clone=0' > /etc/sysctl.d/disable-userns.conf
sysctl -p /etc/sysctl.d/disable-userns.conf

Remove setuid bit from bubblewrap

linux

Removes the setuid privilege that enables the vulnerability

chmod u-s $(which bwrap)

🧯 If You Can't Patch

Apply workaround to disable unprivileged user namespaces
Remove setuid bit from bubblewrap binary
Restrict user access to systems with vulnerable configurations

🔍 How to Verify

Check if Vulnerable:

Check if bubblewrap version is <0.4.1 AND has setuid bit set: ls -la $(which bwrap) | grep '^...s' AND check if unprivileged user namespaces are enabled: sysctl kernel.unprivileged_userns_clone

Check Version:

bwrap --version

Verify Fix Applied:

Verify bubblewrap version is >=0.4.1: bwrap --version

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Processes running bwrap with --userns2 flag
Failed setuid operations

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

process.name:"bwrap" AND process.args:"--userns2"

📊 Metadata

CVE ID: CVE-2020-5291

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-648

Published: March 31, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 Patch,Third Party Advisory
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj Mitigation,Third Party Advisory
https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 Patch,Third Party Advisory
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5291, you might also want to check these: