Dangerous Privilege Escalation Bugs Found in Linux Snap Package Manager


Researchers have discovered an easy-to-exploit vulnerability in Snap, a universal application packaging and distribution system developed for Ubuntu but available on several Linux distributions. The flaw allows a low-privileged user to execute malicious code as root, the highest administrative account in Linux.

The vulnerability, identified as CVE-2021-44731, is one of a series of flaws that researchers from security firm Qualys discovered in various Linux components during Snap’s security investigation. The latter, as well as a separate issue tracked as CVE-2021-44730, are in snap-confine mode, the tool responsible for configuring Snap application sandboxes.

What is Snap?

Break is a package manager for Linux systems that was developed by Canonical, the company behind the popular Ubuntu desktop and server distribution. It allows the packaging and distribution of self-contained applications called “snaps” that run inside a restricted container, providing a configurable level of security.

By being self-contained, Snap apps have no external dependencies, allowing them to work across multiple platforms or distros. Traditionally, each major Linux distribution maintains its own repository of pre-packaged software and its own software manager. Debian has DEB, Ubuntu has PPA, Fedora and Red Hat have RPM, Arch Linux has Pacman, etc. All of these systems extract the desired package along with all other dependencies as separate packages. Snaps, on the other hand, come with all the necessary dependencies, making them universally deployable on all Linux systems with the Snap service.

Snap comes by default on Ubuntu and several Linux distributions and is available as an option in many others, including major ones. It is used to distribute not only desktop applications but also cloud and IoT applications.

Snap containment – the isolation feature – has three levels of security, with Strict mode used by most applications. In this mode, applications must request access to access files, other processes, or the network. This is not unlike the application sandboxing and permissions model of mobile operating systems like Android.

Since application sandboxing is one of Snap’s core features, any privilege escalation vulnerability to escape this isolation and gain control of the host system is considered very serious.

Privilege Escalation Flaws

Qualys researchers dubbed their two snap-confine vulnerabilities as “Oh Snap! More lemmingsbecause they follow another privilege escalation flaw discovered in Snap in 2019 and dubbed Dirty Sock. Since Dirty Sock, Snap has undergone an extensive security audit by the SUSE security team and is generally programmed very defensively, using many kernel security features such as AppArmor profiles, seccomp filters, and mount namespaces.

“We nearly gave up on our audit after a few days,” the Qualys researchers said in their advisoryadding that “discovering and exploiting a vulnerability in snap-confine was extremely difficult (especially in a default Ubuntu installation).”

Nevertheless, the team spotted a few minor bugs and decided to move on. This resulted in the discovery of two elevation of privilege vulnerabilities: CVE-2021-44730, a hard link attack that is only exploitable in non-default configurations, namely when the kernel’s fs.protected_hardlinks is 0; and CVE-2021-44731, an exploitable race condition in default Ubuntu Desktop installations and near-default Ubuntu Server installations.

“This race condition opens up a world of possibilities: Inside the snap-in mount namespace (which we can enter via snap-confine itself), we can bind the mount of a writable, non-sticky directory on /tmp, or we can link-mount any other part of the filesystem on /tmp,” the Qualys researchers said. “We can reliably win this race condition, by snooping /tmp/snap.lxd with inotify, pinning our exploit and snap-confine to the same CPU with sched_setaffinity(), and lowering the snap-confine scheduling priority with setpriority() and sched_setscheduler().”

While investigating these flaws, Qualys researchers also discovered bugs in other libraries and related components used by Snap: Unauthorized unmounts in util-linux’s libmount (CVE-2021-3996 and CVE-2021-3995) ; unexpected return value from glibc realpath() (CVE-2021-3998); buffer overflow/underflow by one in glibc getcwd() (CVE-2021-3999); Uncontrolled recursion in systemd’s systemd-tmp files (CVE-2021-3997). These flaws were fixed in these respective components earlier this year.

Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its supported Linux editions except 16.04 ESM (Extended Security Maintenance) which is still awaiting a fix. Both vulnerabilities are classified as high severity.

Copyright © 2022 IDG Communications, Inc.


Comments are closed.