The snap-confine tool in the Linux world’s Snap software packaging system can be potentially exploited by ordinary users to gain root powers, says Qualys.
Snap was developed by Ubuntu maker Canonical, and can be used with Ubuntu and on other Linux distributions, if one so wishes, to install applications and services. According to infosec biz Qualys, which found and reported the security shortcomings, there are two ways Snap’s internal program snap-confine can be exploited to gain superuser privileges:
- CVE-2021-44730: a vulnerability involving a hardlink that is exploitable in a non-default configuration only ‒ the kernel’s fs.protected_hardlinks has to be zero.
- CVE-2021-44731, a race condition exploitable in default installations of Ubuntu Desktop, and near-default installations of Ubuntu Server – the default server installation plus one of the Featured Server Snaps offered during installation
Snap packages are most closely associated with Ubuntu, as we’ve reported over the years.
The two flaws are addressed in Ubuntu versions 21.10, 20.04, 18.04 and 16.04 and 14.04 by patching snap-confine to version 2.54.3, with Ubuntu itself noting on its advisory page: “In general, a standard system update will make all the necessary changes.”
Those patch releases, by the way, also address two separate holes: a data leak (CVE-2021-3155) found by James Troup; and an AppArmor bypass (CVE-2021-4120) found by Ian Johnson. In a statement, Canonical said: “As always, we are thankful to the great community we are part of, for finding and disclosing such security issues responsibly.”
Qualys said it discovered the privilege-escalation vulnerabilities last year during an audit, and public disclosure took place this Thursday. The biz also found and reported five other related bugs.
“We almost abandoned our audit after a few days, because snap-confine is programmed very defensively,” Qualys noted in its full technical writeup, citing both the defensive programming style and Ubuntu’s AppArmor access control system, which came close to shutting them out altogether. Finding the exploit certainly wasn’t straightforward, and the technical writeup bears a close read, perhaps over a cup of tea.
Qualys said it was able to develop exploit code to achieve privilege escalation.
Snap is one of a few competitors in the app packaging world, as The Register reported last year, and the idea is to just make it easier for developers to put their application into a parcel that can be released and installed on multiple distributions. ®