A vulnerability found in the Snap package manager for Linux

Snap package manager for Linux

Discovered in the Snap package manager for Linux systems developed by Canonical, a flaw exposes users to privilege escalation. A risk that can lead to root access.

Researchers have discovered an easy-to-exploit vulnerability in the Snap universal application packaging and distribution system, developed for Ubuntu, but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code with root privileges, in other words, those of the highest administrative account in Linux.

This vulnerability, which carries the reference CVE-2021-44731, is one of the many flaws discovered in various Linux components by researchers from the security company Qualys during their research on Snap security. This latest vulnerability, like another vulnerability with the reference CVE-2021-44730, is located in snap-confine, the tool used to set up the sandboxes in which Snap applications run.

Snap is a package manager for Linux systems developed by Canonical, the company behind the Ubuntu desktop and server distribution. It allows the packaging and distribution of autonomous applications called “snaps” that run in a restricted container, offering a configurable security level. Because they are self-contained, Snap applications have no external dependencies, allowing them to run on multiple platforms or distributions.

In general, each major Linux distribution maintains its own pre-packaged software repository and software manager, e.g. DEB for Debian, PPA for Ubuntu, RPM for Fedora and Red Hat, Pacman for Arch Linux, and so on. All these systems get the desired package and all other dependencies as separate packages. On the other hand, snaps applications come with all necessary dependencies, making them universally deployable on all Linux systems that have the Snap service.

Extensive security audit already conducted

The Snap Manager is shipped by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It is used to distribute not only desktop applications, but also cloud and IoT applications. Snap containment – the isolation feature – has three levels of security, with Strict mode being used by most applications. In this mode, applications must request permission to access files, other processes or the network. This mode of operation is reminiscent of the application sandboxing and permissions model of mobile operating systems like Android. Since application sandboxing is one of Snap’s main features, any elevation of privilege vulnerability that allows users to escape this isolation and take control of the host system is therefore considered critical.

Qualys researchers have named their two snap-confine vulnerabilities “Oh Snap! More Lemmings,” because they were discovered after another elevation of privilege flaw identified in 2019 called Dirty Sock. Since Dirty Sock, Snap has undergone a thorough security audit by SuSE’s security team, and in general, the handler is programmed very defensively, using many kernel security features such as AppArmor profiles, seccomp filters and mount point namespaces. “We almost gave up on our audit after a few days,” Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine was extremely difficult (especially in a default Ubuntu installation).”

Other bugs also discovered

Nevertheless, the team decided to continue its audit after finding some minor bugs. This is how they ended up discovering the two privilege escalation vulnerabilities CVE-2021-44730 and CVE-2021-44731. CVE-2021-44730 allows a so-called “hardlink attack”, exploitable only in default configurations, when the kernel parameter fs.protected_hardlinks is equal to 0.

As for the CVE-2021-44731 vulnerability, it creates a race condition that can be exploited in the default installations of Ubuntu Desktop and the default installations of Ubuntu Server. And this race condition opens a lot of possibilities: Within the snap mount namespace (which can be accessed by snap-confine itself), it becomes possible to mount a non-sticky directory where anyone can write to /tmp, or mount any other part of the file system to /tmp,” explained the Qualys researchers. “This race condition can be reliably reversed by monitoring /tmp/snap.lxd with inotify, placing the exploit and snap-confine on the same processor with sched_setaffinity(), and lowering the scheduling priority of snap-confine with setpriority() and sched_setscheduler(),” the researchers further explained.

In their examination of these flaws, Qualys researchers also discovered bugs in other libraries and related components used by Snap : including unauthorized disassembly in libmount of util-linux (CVE-2021-3996 and CVE-2021-3995); unexpected return value of realpath() of glibc (CVE-2021-3998); advanced off-by-one buffer overflow/underflow in getcwd() of glibc (CVE-2021-3999); uncontrolled recursion in systemd-tmpfiles of systemd (CVE-2021-3997).

These flaws were patched in these respective components earlier this year. Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its Linux editions, with the exception of the 16.04 ESM (Extended Security Maintenance) flaw still awaiting a patch. The severity of these two vulnerabilities is considered as very critical.

What Are The Best Linux Distributions Available To You?

best_linux_distros

The world of operating systems has been practically dominated by Microsoft Windows for several consecutive decades now, although Apple software is also out there on associated pieces of technology. Some growth and innovation in the netbook and laptop markets also see new players like Chrome operating systems from Google, but for the most part, Apple and Microsoft rule the scene.

Despite all this, Linux has hung around, catering to a select base of users. Some individuals prefer it at an enthusiast level as either a complement or even a replacement for corporate software, and some companies like using it because the very nature of Linux distributions means they can be had freely.

Whatever your reason for being curious, you might be in a position where you are wondering what the best Linux distributions are at the point in time you are in. It’s not a question quickly answered, as one single distribution rarely proves best for all uses and cases. In fact, what you intend to use a Linux distribution for will often determine just which one is going to prove the most optimal choice for you.

The first thing you should establish is your minimum system specifications on the computer or device you intend to run a Linux distribution on. Most of the time, such distributions will need fewer resources than another operating system, which is something many Linux users love, so you’re probably safe. Still, you don’t want to get a distribution you can’t run. In fact, you should verify you can run it well.

Secondly, consider if you are going to have it share a machine or have a computer all to itself as a secondary computer. Some Linux distributions coexist with other operating systems better than others.

Third, ask yourself what your intentions are? If you’re looking for an alternative operating system because you’re tired of the instability and cumbersome controls often associated with Microsoft Windows, then looking for a stable beginner system should be your goal for the best fit. On the other hand, if you’re looking for something to support a gaming rig, you want something that uses far fewer resources than Windows, so your games have more dedicated power, yet, you also want options for specific controls over components and possibly even overclocking for your CPU and graphics card.

One final decision you should make is whether you want to buy a retail package or download the freeware kernel of a particular distribution. A retail package might be more convenient and easy to install and use, and might even come with some support. Then again, you are paying for something that could be free for you.

It’s not a bad idea to ask around or look online. PC sites are always updating their lists of the best Linux distributions available to reflect the current state of affairs, and any Linux enthusiasts you know are probably going to be more than happy to discuss things with you since they can show off their knowledge and expertise.

A growing demand for open source talents

the_linux_fondation_logo

The annual report on employment in the open source sector released by the Linux and Dice Foundation is available. This report shows that opportunities are growing for qualified open source professionals.

The survey was conducted among more than 750 hiring managers and 6500 Open Source professionals. The summary of the conclusions of this report is very positive and shows some significant changes since the 2017 report:

Hiring open source talent is a priority for 83% of recruiters, up from 76% in 2017.

Linux is back among the most popular open source skill categories, making it knowledge required for most entry-level open source careers.
Containers are rapidly gaining in popularity and importance, with 57% of hiring managers seeking this expertise, up from only 27% last year.

There is a gap between the views of hiring managers and information technology professionals on the effectiveness of efforts to improve diversity in the industry.

Hiring managers move away from hiring external consultants and choose to train existing employees on new open source technologies and help them obtain certifications.

A still very tight recruitment market

While 55% of open source professionals surveyed say it is easy for them to find a job and 87% believe that mastering open source has boosted their careers, the situation is just as tricky for recruiters. 87% of recruiters report difficulties in recruiting.

To keep the most exciting profiles and attract talent, several strategies are put in place. Among these, training and particularly certification have become essential weapons, and it can be observed that companies implementing such plans have doubled since 2016, reaching almost half of respondents (42%). Developers say that training is their first difficulty (49%) in the open source sector before the lack of documentation (41%).

Salaries remain the primary motivation element for recruitment with 30%, but open source professionals also declare for 19% that their primary motivation lies in the originality of the projects and for 14% the possibility of balancing their professional and personal lives. Besides, 10% of them consider flexible working hours and teleworking as the main reasons for their recruitment decision.

The most sought-after skills in the open source market

Only upheaval in the 2018 ranking of skills sought: Linux. He had not gone far, but mastery of the operating system came back in force with 80% of recruiters looking for these skills. With 44% of recruiters looking for profiles that master containerization technologies, the growing trend observed over the last two years is confirmed and places these technologies among the most fashionable in technology companies. For the rest of the podium, we find the cloud, security, web technologies, networks.

Suse will continue its open strategy following purchase

open_suse_distro

A pioneer of the open source era, SUSE, the first company to provide open source services to companies, is acquired for 2.535 billion dollars by the Swedish private equity group EQT Partners. This acquisition comes shortly after SUSE Linux Enterprise 15 is available in beta.

Largest operation in SUSE history

With 1400 employees worldwide, SUSE achieved sales of nearly $35 million in the last twelve months of 2017. The amount of the sale is 26.7 times the adjusted operating income of the SUSE software unit for the 12 months ended October 2017.

Since its creation by German students, SUSE (Software- und System-Entwicklung) has been bought several times, notably by the American software company Novell in 2003 at 120 million dollars in 2003, with the aim of a competitive strategy with Microsoft’s operating systems. Without success, Novell itself was bought by Attachmate Group for 2.2 billion. In 2014 Attachmate merged with the British software company Micro Focus for 1.2 billion dollars. The acquisition by EQT Partners, therefore, represents the most significant transaction in the company’s history.

SUSE to focus on infrastructure

SUSE appears to be pleased with the new partnership with its new owner EQT Partners and is also committed to focusing on its expansion into the IT infrastructure field.

“This is exciting news for all of us at SUSE and marks the next step on our path of growth and momentum. The investment and support provided by EQT will enable us to continue to drive our strategy. ยป

What about open source?

In the announcement on the company’s blog, SUSE wants to reassure about its commitment to the open source world and the continuity of development projects:

“SUSE intends to continue its commitment to open source business and development model and actively participate in communities and projects aimed at bringing open source innovation to the high-quality enterprise. Reliable and usable solutions. Our genuinely open source model, where open refers to the freedom of choice offered to customers and not just the code used in our solutions, is integrated into the SUSE culture, differentiates us in the marketplace and has been the key to our years of success.

The company also confirms the continuation of the current management team: “The current management team led by SUSE CEO, Nils Brauckmann, will remain and continue to focus on the success of customers and partners with a deep commitment and commitment to communities and open source projects.