CVE Identifier

 

CVE-2024-42472 (ALSA-2024:6422)

 

Severity Rating

 

NVD: 10.0 (CNA)

 

Red Hat: 7.4

 

Severity

 

NVD: Critical (CNA)

 

Red Hat: Important

 

Affected Products

 

NetWitness Platform 12.5 and prior versions. However, this issue is not impacting any version of NetWitness, but it may get flagged in versions 12.5 and prior due to the presence of the bubblewrap package.

 

Summary

 

The sandbox escape vulnerability in Flatpak is not applicable to NetWitness, as the Flatpak library is not installed in the environment. Therefore, the bubblewrap update aimed at addressing this vulnerability does not impact the system and will not influence the security.

 

Details

 

Flatpak is a Linux application sandboxing and distribution framework. In versions prior to 1.14.0 and 1.15.10, a vulnerability exists where a malicious or compromised Flatpak app using persistent directories could access and write files outside of its intended boundaries. This flaw affects the integrity and confidentiality of the system.

 

When the persistent=subdir permission is used (represented as --persist=subdir in the command line), an application without access to the real user home directory is instead presented with an empty home directory containing a writable subdirectory. This subdirectory is stored as a bind mount at ~/.var/app/$APPID/subdir. However, the application still has write access to the ~/.var/app/$APPID directory. If the source directory for the persistent/--persist option is replaced by a symlink, the next time the application starts, the bind mount will follow the symlink and grant access to unintended files or directories.

 

Partial protection can be applied through specific patches, but these do not address a race condition that could still be exploited. To fully mitigate this issue, an update to bubblewrap (the sandboxing tool used by Flatpak) is required, along with a corresponding Flatpak patch.

 

The vulnerability is patched in Flatpak versions 1.14.10 (stable branch) and 1.15.10 (development branch). Older versions (1.12.x and 1.10.x) will not receive updates, so long-term support OS distributions need to backport these changes or update to newer versions.

 

Workaround: Avoid using applications that require the persistent (--persist) permission.

 

Impact:

This vulnerability allows malicious Flatpak applications to bypass the sandboxing restrictions, granting them access to files outside their intended scope. It compromises both system integrity and confidentiality, as unauthorized read/write operations can occur. Although partial mitigation is possible through patching, the remaining race condition may still be exploited if not properly addressed, potentially leading to data leakage or system modification.

 

Impact Analysis for NetWitness:

The identified sandbox escape vulnerability in Flatpak arises from a symlink-following issue during the mounting of persistent directories. Although the bubblewrap update seeks to address a race condition by introducing a new option for patching Flatpak, it does not apply in this environment.

NetWitness does not have the Flatpak library installed, which is necessary for exploiting this vulnerability. Therefore, the bubblewrap update aimed at resolving Flatpak-related issues do not impact, as the Flatpak library is not present.

 

Resolution

 

Workaround: None

 

 

No workaround is needed as NetWitness is not impacted, but as a security best practice, we recommend upgrading to version 12.5.1, which includes an updated package for bubblewrap that fixes the CVE.

 

For additional documentation, downloads and more, visit the NetWitness Platform page on NetWitness Community.

 

Severity Rating

 

For an explanation of Severity Ratings, refer to Vulnerability Disclosure Policy. NetWitness recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

 

EOPS Policy

 

NetWitness has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

 

Legal Information

 

 Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.

 

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without a warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.