Monday, June 24, 2024

Snap Privilege Escalation: Vulnerability in Linux Package Manager Snap

A newly discovered Snap flaw allows a low-privileged user to gain root access.

Researchers found an easy-to-exploit vulnerability in Snap, a universal application packaging and distribution system developed for Ubuntu but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code as root, the highest administrative account on Linux.

Snap privilege escalation

The vulnerability, tracked as CVE-2021-44731, is part of a series of flaws that researchers from security firm Qualys found in various Linux components while investigating the security of Snap. This latest one, along with a separate issue tracked as CVE-2021-44730, are in snap-confine, the tool responsible for setting up Snap application sandboxes.

What is Snap?

Snap is a package manager for Linux systems that was developed by Canonical, the company behind the popular Ubuntu desktop and server distribution. It allows the packaging and distribution of self-contained applications called “snaps” that run inside a restricted container, providing a configurable level of security.

By being self-contained, Snap applications don’t have external dependencies, which allows them to work cross-platform or cross-distribution. Traditionally, each major Linux distribution maintains its own pre-packaged software repository and software manager. Debian has DEB, Ubuntu has PPA, Fedora and Red Hat have RPM, Arch Linux has Pacman, and so on. All these systems pull in the desired package along with all other dependencies as separate packages. Snaps, on the other hand, come bundled with all the needed dependencies, making them universally deployable on all Linux systems that have the Snap service.

Snap ships by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It’s used to distribute not only desktop applications, but also cloud and IoT ones.

Recommended:  NVIDIA DataBreach: Credentials of 71,000 Employees Leaked

Snap confinement — the isolation feature — has three levels of security with the Strict mode being used by most applications. In this mode, applications need to request access to access files, other processes, or the network. This is not unlike the application sandboxing and permissions model from mobile operating systems like Android.

Since application sandboxing is one of the core features of Snap, any privilege escalation vulnerability that allows escaping that isolation and taking control of the host system is considered very serious.

Privilege escalation flaws

The Qualys researchers have dubbed their two snap-confine vulnerabilities as “Oh Snap! More Lemmings” because they follow another privilege escalation flaw discovered in Snap in 2019 and dubbed Dirty Sock. Since Dirty Sock, Snap has seen a thorough security audit by the SUSE security team and in general is programmed very defensively, making use of many kernel security features such as AppArmor profiles, seccomp filters and mount namespaces.

“We almost abandoned our audit after a few days,” the Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu).”

Nevertheless, the team spotted a few minor bugs and decided to push on. This resulted in the discovery of two privilege escalation vulnerabilities: CVE-2021-44730, a hardlink attack that’s only exploitable in non-default configurations, namely when the kernel’s fs.protected_hardlinks is 0; and CVE-2021-44731, a race condition that is exploitable in default installations of Ubuntu Desktop and near-default installations of Ubuntu Server.

“This race condition opens up a world of possibilities: Inside the snap’s mount namespace (which we can enter through snap-confine itself), we can bind-mount a world-writable, non-sticky directory onto /tmp, or we can bind-mount any other part of the filesystem onto /tmp,” the Qualys researchers said. “We can reliably win this race condition, by monitoring /tmp/snap.lxd with inotify, by pinning our exploit and snap-confine to the same CPU with sched_setaffinity(), and by lowering snap-confine’s scheduling priority with setpriority() and sched_setscheduler().”

In the process of investigating these flaws, the Qualys researchers have also discovered bugs in other related libraries and components that Snap uses: Unauthorized unmounts in util-linux’s libmount (CVE-2021-3996 and CVE-2021-3995); unexpected return value from glibc’s realpath() (CVE-2021-3998); off-by-one buffer overflow/underflow in glibc’s getcwd() (CVE-2021-3999); Uncontrolled recursion in systemd’s systemd-tmpfiles (CVE-2021-3997). These flaws were patched in those respective components earlier this year.

Recommended:  Security Breach Allegations Hover Over TikTok

Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its supported Linux editions, except for 16.04 ESM (Extended Security Maintenance) which is still awaiting a fix. Both vulnerabilities are rated as high severity.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before


Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates