Researchers have discovered an easy-to-exploit vulnerability in Snap, a universal application packaging and distribution system developed for Ubuntu but available on several Linux distributions. The flaw could allow a low-privileged user to run malicious code as root, the highest administrative account on Linux.
The vulnerability, tracked as CVE-2021-44731, is part of a series of flaws that researchers at security firm Qualys discovered in various Linux components while investigating the security of Snap. This latest issue, along with a separate issue tracked as CVE-2021-44730, resides in Snap-confine, the tool responsible for setting up the Snap application sandbox.
What is Snap?
snap A package manager for Linux systems developed by Canonical, a popular Ubuntu desktop and server distribution company. It provides a configurable level of security by allowing the packaging and deployment of standalone applications called “snaps” that run within constrained containers.
Being standalone, Snap applications have no external dependencies, allowing them to work cross-platform or cross-deployment. Traditionally, each major Linux distribution maintains its own prepackaged software repositories and software managers. DEB for Debian, PPA for Ubuntu, RPM for Fedora and Red Hat, Pacman for Arch Linux, etc. All these systems will import the desired package as a separate package along with all other dependencies. On the other hand, Snap is bundled with all the necessary dependencies, making it universally deployable to any Linux machine that has a Snap service.
Snap comes with Ubuntu and several Linux distributions by default, and is available as an option on many other distributions, including major ones. It is used not only for desktop applications, but also for cloud, IoT application deployment.
Snap restrictions, an isolation feature, provide three levels of security, along with strict mode used by most applications. In this mode, applications must request access to access files, other processes, or networks. This is no different from the application sandboxing and permission model of mobile operating systems like Android.
As application sandboxing is one of Snap’s core capabilities, an elevation of privilege vulnerability that could break this isolation and gain control over the host system is considered very serious.
privilege escalation flaw
Qualys researchers identified two snap-restriction vulnerabilities “Oh snap! more lemmings” Because it follows another elevation of privilege flaw called Dirty Sock that was discovered in Snap in 2019. Since Dirty Sock, Snap has undergone a thorough security audit by the SUSE security team and is generally very defensive with many kernel security features, including: It was programmed with AppArmor profiles, seccomp filters, and mount namespaces.
“In a matter of days, I almost gave up auditing,” said Qualys. advice“Discovering and exploiting vulnerabilities in Snap-confine has been very difficult (especially in the default installation of Ubuntu),” he added.
Nevertheless, the team found a few minor bugs and decided to move on. This resulted in the discovery of two elevation of privilege vulnerabilities. CVE-2021-44730, a hardlink attack that can only be exploited in a non-default configuration, i.e. the kernel’s fs.protected_hardlinks is 0. and CVE-2021-44731, a race condition that can be exploited in default installations of Ubuntu Desktop and near-default installations of Ubuntu Server.
“This race condition opens up a world of possibilities. Within a snap’s mount namespace (which can be entered through the snap restriction itself), a world-writable, non-pinned directory can be mounted or bound to /tmp binding – Mount other parts of the filesystem to /tmp,” said the Qualys researcher. “Use inotify to monitor /tmp/snap.lxd, use sched_setaffinity() to pin exploit and snap-confine on the same CPU, setpriority() and sched_setscheduler().”
In the course of investigating these flaws, Qualys researchers also discovered bugs in other related libraries and components that Snap uses. Unexpected return value from realpath() in glibc (CVE-2021-3998); Buffer overflow/underflow one by one in glibc’s getcwd() (CVE-2021-3999); Uncontrolled recursion in systemd’s systemd-tmp file (CVE-2021-3997). These flaws were patched in those components earlier this year.
Ubuntu has released patches for: CVE-2021-44731 And CVE-2021-44730 For most supported editions of Linux except 16.04 Extended Security Maintenance (ESM), which is still awaiting fix. Both vulnerabilities are rated as high severity.
Copyright © 2022 IDG Communications, Inc.