In the middle of the last decade, Canonical (the developer of Ubuntu Linux) launched its own initiative to distribute distribution-independent software packages for Linux. Thus, the Snap packages came to join other ‘universal’ formats, such as Flatpak and AppImage.
If already in the first steps of the format, 6 years ago, serious security problems were detected with Snaps, which allowed its developers to steal data from other applications, now multiple new vulnerabilities in this security system have come to light. software packaging…
…being the most critical case, the one classified as CVE-2021-44731, a vulnerability that can be exploited to carry out a privilege escalation attack, thus obtaining ‘root’ privileges (the administrator user on Unix systems) .
LINUX and GNU: LINUX: WHAT IT IS AND HOW IT WORKS
Code injections (already patched)
This security issue, with a CVSS severity score of 7.8, is located in the snapd program (the one that allows you to install, update, and uninstall Snap packages), specifically in the snap-confine component, responsible for building the execution environment of the applications.
AppImage, Snap, Flatpak… how the main Linux software distribution formats differ
Apparently, as reported by Red Hat, this component introduces what is known as a ‘race condition’, the situation that occurs when the sequence of events in a process does not execute in the order that the scheduler expected, thus generating errors.
The affected process would be the preparation of Snap’s private ‘namespace’, which opens up the possibility of injecting arbitrary code. Bharat Jogi, director of vulnerability and threat research at Qualys, explains that
“Successful exploitation of this vulnerability allows any non-privileged user to gain root privileges on the vulnerable host and [could be used to] gain full root privileges on default installations of Ubuntu.”
And while this vulnerability cannot be exploited remotely, any attacker logged in as a non-privileged user can ‘quickly’ exploit the bug to gain administration permissions.
In addition, the cybersecurity firm discovered six other vulnerabilities:
- CVE-2021-3995 ? Unauthorized unmount in libmount of util-linux.
- CVE-2021-3996 ? Unauthorized unmount in libmount of util-linux.
- CVE-2021-3997 ? Uncontrolled recursion in systemd’s systemd-tmp files.
- CVE-2021-3998 ? glibc realpath() unexpected return value.
- CVE-2021-3999 ? Off-by-one buffer overflow/overflow in glibc’s getcwd().
- CVE-2021-44730 ? Hardlink attack on snap-confine’s sc_open_snapd_tool().
All these vulnerabilities were patched yesterday by the Ubuntu security team (we recommend updating as soon as possible if you use this software), after being notified of their existence at the end of last month of October.
Via | The HackerNews