Multiple security vulnerabilities have been disclosed in Canonical’s Snap software packaging and deployment system, the most critical of which can be exploited to escalate privilege to gain root privileges.
Snaps can be used to install self-contained applications packages on Linux operating systems.
Tracked as CVE-2021-44731, the issue concerns a privilege escalation flaw in the snap-confine function, a program used internally by snapd to construct the execution environment for snap applications. The shortcoming is rated 7. 8 on the CVSS scoring system.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding the weakness could be abused to “obtain full root privileges on default installations of Ubuntu. “
Red Hat described the problem in an independent advisory as “race conditions” within the snap-confine system.
“A race condition in snap-confine exists when preparing a private mount namespace for a snap,” the company noted. This could enable a local attacker gain root privileges through binding-mounting their contents within the snap’s personal mount namespace. Snap-confine can then execute arbitrary code, thereby granting snap-confine privilege escalation. “
Additionally discovered by the cybersecurity firm are six other flaws –
- CVE-2021-3995 – Unauthorized unmount in util-linux’s libmount
- CVE-2021-3996 – Unauthorized unmount in util-linux’s libmount
- CVE-2021-3997 – Uncontrolled recursion in systemd’s systemd-tmpfiles
- CVE-2021-3998 – Unexpected return value from glibc’s realpath()
- CVE-2021-3999 – Off-by-one buffer overflow/underflow in glibc’s getcwd()
- CVE-2021-44730 – Hardlink attack in snap-confine’s sc_open_snapd_tool()
The vulnerability was reported to the Ubuntu security team on October 27, 2021, following which patches were released on February 17 as part of a coordinated disclosure process.
Qualys also pointed out that while the flaw isn’t remotely exploitable, an attacker that has logged in as an unprivileged user can “quickly” exploit the bug to gain root permissions, necessitating that the patches are applied as soon as possible to mitigate potential threats.