Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager

Multiple security vulnerabilities have been disclosed in
Canonical’s Snap[1]
software packaging and deployment system, the most critical of
which can be exploited to escalate privilege to gain root
privileges.

Snaps are self-contained application packages that are designed
to work on operating systems that use the Linux kernel and can be
installed using a tool called snapd.

Automatic GitHub Backups

Tracked as CVE-2021-44731, the issue concerns a
privilege escalation flaw in the snap-confine[2]
function, a program used internally by snapd to construct the
execution environment for snap applications. The shortcoming is
rated 7.8 on the CVSS scoring system.

“Successful exploitation of this vulnerability allows any
unprivileged user to gain root privileges on the vulnerable host,”
Bharat Jogi, director of vulnerability and threat research at
Qualys, said[3], adding the weakness
could be abused to “obtain full root privileges on default
installations of Ubuntu.”

Red Hat, in an independent advisory, described the issue as a
“race condition” in the snap-confine component.

“A race condition in snap-confine exists when preparing a
private mount namespace for a snap,” the company noted[4]. “This could allow a
local attacker to gain root privileges by bind-mounting their own
contents inside the snap’s private mount namespace and causing
snap-confine to execute arbitrary code and hence privilege
escalation.”

Prevent Data Breaches

Additionally discovered by the cybersecurity firm are six other
flaws –

  • CVE-2021-3995 – Unauthorized unmount in
    util-linux’s libmount
  • CVE-2021-3996 – Unauthorized unmount in
    util-linux’s libmount
  • CVE-2021-3997 – Uncontrolled recursion in
    systemd’s systemd-tmpfiles
  • CVE-2021-3998 – Unexpected return value from
    glibc’s realpath()
  • CVE-2021-3999 – Off-by-one buffer
    overflow/underflow in glibc’s getcwd()
  • CVE-2021-44730 – Hardlink attack in
    snap-confine’s sc_open_snapd_tool()

The vulnerability was reported to the Ubuntu security team on
October 27, 2021, following which patches were released on February
17 as part of a coordinated disclosure process.

Qualys also pointed out that while the flaw isn’t remotely
exploitable, an attacker that has logged in as an unprivileged user
can “quickly” exploit the bug to gain root permissions,
necessitating that the patches are applied as soon as possible to
mitigate potential threats.

References

  1. ^
    Snap
    (en.wikipedia.org)
  2. ^
    snap-confine
    (manpages.ubuntu.com)
  3. ^
    said
    (blog.qualys.com)
  4. ^
    noted
    (ubuntu.com)

Read more