New Linux Privilege Escalation Flaw Discovered in Snap Package Manager


Multiple security vulnerabilities have been disclosed in Canonical’s Break software packaging and deployment system, the most critical of which can be exploited to elevate privileges to obtain root privileges.

Snaps are standalone application packages designed to run on operating systems that use the Linux kernel and can be installed using a tool called snapd.

Automatic GitHub backups

Tracked as CVE-2021-44731The issue involves an elevation of privilege flaw in snap-confine function, a program used internally by snapd to build the runtime environment for snap applications. The deficiency is rated 7.8 on the CVSS rating system.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” said Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, notedadding that the weakness could be exploited to “gain full root privileges on default Ubuntu installations”.

Red Hat, in an independent advisory, described the issue as a “race condition” in the snap-confine component.

“A race condition in snap-confine exists when preparing a private mount namespace for a snap”, the company Noted. “This could allow a local attacker to gain root privileges by link-mounting their own content into the snap-in’s private mount namespace and causing snap-confine to execute arbitrary code and thus a escalation of privileges.”

Prevent data breaches

Six other flaws were also discovered by the cybersecurity firm –

  • CVE-2021-3995 – Unmount not allowed in util-linux’s libmount
  • CVE-2021-3996 – Unmount not allowed in util-linux’s libmount
  • CVE-2021-3997 – Uncontrolled recursion in systemd’s systemd-tmp files
  • CVE-2021-3998 – Unexpected return value of glibc realpath()
  • CVE-2021-3999 – Buffer overflow/overflow one by one in glibc’s getcwd()
  • CVE-2021-44730 – Hard link attack in sc_open_snapd_tool() of snap-confine

The vulnerability was reported to the Ubuntu security team on October 27, 2021, after which patches were released on February 17 as part of a coordinated disclosure process.

Qualys also pointed out that while the flaw is not remotely exploitable, an attacker who logged in as an unprivileged user can “quickly” exploit the bug to gain root permissions, which requires that patches be applied as soon as possible to mitigate potential threats. .


Comments are closed.