Security researchers with Qualys have discovered several vulnerabilities affecting Canonical’s Snap software packaging and deployment system.
In a blog post, Qualys director of vulnerability and threat research Bharat Jogi explained that they found multiple vulnerabilities in the snap-confine function on Linux operating systems, “the most important of which can be exploited to escalate privilege to gain root privileges.” Jogi added that Snap was developed by Canonical for operating systems that use the Linux kernel.
“The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap-confine is a program used internally by snapd to construct the execution environment for snap applications,” Jogi said, noting that the main issue was CVE-2021-44731.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”
After discovering the vulnerabilities and sending an advisory to Ubuntu in October, the Qualys Research Team worked with Canonical, Red Hat and others to address the issue. Canonical did not respond to requests for comment.
In addition to CVE-2021-44731, Qualys discovered six other vulnerabilities. They provided a detailed breakdown of each issue and urged all users to patch as soon as possible.
There are no mitigations for CVE-2021-44731 and Jogi noted that while the vulnerability is not remotely exploitable, an attacker can log in as any unprivileged user and the vulnerability can be quickly exploited to gain root privileges.
Vulcan Cyber engineer Mike Parkin said Snap has become reasonably widespread in the Linux world, with a number of major vendors distributing packages using it.
While any exploit that can give root access is problematic, being a local exploit reduces the risk somewhat, Parkin explained, adding that patching vulnerable systems should be a priority.
“This is both very widespread and also very dangerous, given that it enables a cyber criminal to escalate their privileges to gain root access. With that access threat actors can distribute malware, plant deepfakes, move laterally within corporate networks, and many other forms of being compromised,” said Viakoo CEO Bud Broomhead.
“Linux is widely used as the embedded operating system for IoT devices, which typically there are 5-10X more of than traditional IT devices in an organization. Currently there is no mitigation for this vulnerability, but when one becomes available it will likely remain exploitable for some time. Unlike IT systems, IoT devices often lack automated methods of remediating vulnerabilities, giving the potential for this vulnerability to be present for a long time.”