CVE-2021-26910 – This vulnerability in Firejail allows attackers... (How to Fix)

Q: What is the severity of CVE-2021-26910?

CVE-2021-26910 has a CVSS score of 7.8 (HIGH). This vulnerability in Firejail allows attackers to bypass security restrictions through a TOCTOU race condition between stat and OverlayFS mount operations. Attackers can exploit this to gain unauthorized access to files or execute commands outside the intended sandbox. Users of Firejail versions before 0.9.64.4 are affected.

📋 TL;DR

This vulnerability in Firejail allows attackers to bypass security restrictions through a TOCTOU race condition between stat and OverlayFS mount operations. Attackers can exploit this to gain unauthorized access to files or execute commands outside the intended sandbox. Users of Firejail versions before 0.9.64.4 are affected.

💻 Affected Systems

Products:

Firejail

Versions: All versions before 0.9.64.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects all Firejail installations using OverlayFS for sandboxing. Requires local access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox escape allowing attackers to execute arbitrary code on the host system with the privileges of the Firejail process.

🟠

Likely Case

Unauthorized file access or privilege escalation within the host system, potentially leading to data theft or further system compromise.

🟢

If Mitigated

Limited impact if Firejail is running with minimal privileges and proper access controls are in place on the host system.

🌐 Internet-Facing: LOW - Firejail is typically used for local process isolation, not directly internet-facing services.

🏢 Internal Only: MEDIUM - Exploitation requires local access, but could lead to privilege escalation in multi-user systems or container environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of the race condition timing. Proof-of-concept details are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.64.4

Vendor Advisory: https://github.com/netblue30/firejail/releases/tag/0.9.64.4

Restart Required: Yes

Instructions:

1. Update Firejail to version 0.9.64.4 or later using your distribution's package manager. 2. Restart all Firejail processes. 3. For source installations: download from GitHub, compile, and replace existing binary.

🔧 Temporary Workarounds

Disable OverlayFS

linux

Temporarily disable OverlayFS usage in Firejail to prevent exploitation of this race condition.

firejail --disable-overlayfs

🧯 If You Can't Patch

Restrict Firejail usage to trusted users only
Run Firejail with minimal privileges using unprivileged user accounts

🔍 How to Verify

Check if Vulnerable:

Check Firejail version with 'firejail --version'. If version is below 0.9.64.4, the system is vulnerable.

Check Version:

firejail --version

Verify Fix Applied:

After updating, verify version is 0.9.64.4 or higher with 'firejail --version'.

📡 Detection & Monitoring

Log Indicators:

Unusual OverlayFS mount operations in system logs
Failed sandbox escape attempts in Firejail logs

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

Search for process execution patterns where Firejail spawns unexpected child processes or accesses files outside sandbox boundaries.

📊 Metadata

CVE ID: CVE-2021-26910

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/02/09/1 Exploit,Mailing List,Patch,Third Party Advisory
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b Patch,Third Party Advisory
https://github.com/netblue30/firejail/releases/tag/0.9.64.4 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00015.html Third Party Advisory
https://security.gentoo.org/glsa/202105-19 Third Party Advisory
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ Exploit,Third Party Advisory
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4849 Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/02/09/1 Exploit,Mailing List,Patch,Third Party Advisory
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b Patch,Third Party Advisory
https://github.com/netblue30/firejail/releases/tag/0.9.64.4 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00015.html Third Party Advisory
https://security.gentoo.org/glsa/202105-19 Third Party Advisory
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ Exploit,Third Party Advisory
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4849 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26910, you might also want to check these: