In the middle of the last decade, Canonical (the developer of Ubuntu Linux) launched its own initiative to distribute distribution-independent software packages for Linux. Thus, the Snap packages came to join other ‘universal’ formats, such as Flatpak and AppImage.
If already in the first steps of the format, 6 years ago, serious security problems were detected with Snaps, which allowed its developers to steal data from other applications, now multiple new vulnerabilities of this software packaging system have come to light …
…being the most critical case, the one classified as CVE-2021-44731, a vulnerability that can be exploited to carry out a privilege escalation attack, thus obtaining ‘root’ privileges (the administrator user on Unix systems).
LINUX and GNU: LINUX: WHAT IT IS AND HOW IT WORKS
Code injections (already patched)
This security problem, with a severity score of 7.8 in the CVSS system, is located in the snapd program (the one that allows installing, updating and uninstalling Snap packages), specifically in the snap-confine component, in charge of building the application execution environment.
Apparently, as reported by Red Hat, this component introduces what is known as a ‘race condition’, the situation that occurs when a process’s sequence of events does not execute in the order the scheduler expectedthus generating errors.
The affected process would be the preparation of the Snap’s private ‘namespace’, which opens the possibility of injecting arbitrary code. Bharat Jogi, director of vulnerability and threat research at Qualys, explains that
“Successful exploitation of this vulnerability allows any non-privileged user to gain root privileges on the vulnerable host and [podría ser utilizada apra] get full root privileges on default installations of Ubuntu”.
And while this vulnerability cannot be exploited remotely, any attacker logged in as a non-privileged user can ‘quickly’ exploit the bug to get admin permissions.
In addition, the cybersecurity firm discovered six other vulnerabilities:
- CVE-2021-3995 ? Unauthorized unmount in libmount of util-linux.
- CVE-2021-3996 ? Unauthorized unmount in libmount of util-linux.
- CVE-2021-3997 ? Uncontrolled recursion in systemd’s systemd-tmp files.
- CVE-2021-3998 ? glibc realpath() unexpected return value.
- CVE-2021-3999 ? Off-by-one buffer overflow/overflow in glibc’s getcwd().
- CVE-2021-44730 ? Hardlink attack on snap-confine’s sc_open_snapd_tool().
All of these vulnerabilities were patched yesterday by the Ubuntu security team (We recommend you update as soon as possible if you use this software), after being notified of its existence at the end of last October.
Via | The HackerNews