A vulnerability found in the Snap package manager for Linux

Snap package manager for Linux

Discovered in the Snap package manager for Linux systems developed by Canonical, a flaw exposes users to privilege escalation. A risk that can lead to root access.

Researchers have discovered an easy-to-exploit vulnerability in the Snap universal application packaging and distribution system, developed for Ubuntu, but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code with root privileges, in other words, those of the highest administrative account in Linux.

This vulnerability, which carries the reference CVE-2021-44731, is one of the many flaws discovered in various Linux components by researchers from the security company Qualys during their research on Snap security. This latest vulnerability, like another vulnerability with the reference CVE-2021-44730, is located in snap-confine, the tool used to set up the sandboxes in which Snap applications run.

Snap is a package manager for Linux systems developed by Canonical, the company behind the Ubuntu desktop and server distribution. It allows the packaging and distribution of autonomous applications called “snaps” that run in a restricted container, offering a configurable security level. Because they are self-contained, Snap applications have no external dependencies, allowing them to run on multiple platforms or distributions.

In general, each major Linux distribution maintains its own pre-packaged software repository and software manager, e.g. DEB for Debian, PPA for Ubuntu, RPM for Fedora and Red Hat, Pacman for Arch Linux, and so on. All these systems get the desired package and all other dependencies as separate packages. On the other hand, snaps applications come with all necessary dependencies, making them universally deployable on all Linux systems that have the Snap service.

Extensive security audit already conducted

The Snap Manager is shipped by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It is used to distribute not only desktop applications, but also cloud and IoT applications. Snap containment – the isolation feature – has three levels of security, with Strict mode being used by most applications. In this mode, applications must request permission to access files, other processes or the network. This mode of operation is reminiscent of the application sandboxing and permissions model of mobile operating systems like Android. Since application sandboxing is one of Snap’s main features, any elevation of privilege vulnerability that allows users to escape this isolation and take control of the host system is therefore considered critical.

Qualys researchers have named their two snap-confine vulnerabilities “Oh Snap! More Lemmings,” because they were discovered after another elevation of privilege flaw identified in 2019 called Dirty Sock. Since Dirty Sock, Snap has undergone a thorough security audit by SuSE’s security team, and in general, the handler is programmed very defensively, using many kernel security features such as AppArmor profiles, seccomp filters and mount point namespaces. “We almost gave up on our audit after a few days,” Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine was extremely difficult (especially in a default Ubuntu installation).”

Other bugs also discovered

Nevertheless, the team decided to continue its audit after finding some minor bugs. This is how they ended up discovering the two privilege escalation vulnerabilities CVE-2021-44730 and CVE-2021-44731. CVE-2021-44730 allows a so-called “hardlink attack”, exploitable only in default configurations, when the kernel parameter fs.protected_hardlinks is equal to 0.

As for the CVE-2021-44731 vulnerability, it creates a race condition that can be exploited in the default installations of Ubuntu Desktop and the default installations of Ubuntu Server. And this race condition opens a lot of possibilities: Within the snap mount namespace (which can be accessed by snap-confine itself), it becomes possible to mount a non-sticky directory where anyone can write to /tmp, or mount any other part of the file system to /tmp,” explained the Qualys researchers. “This race condition can be reliably reversed by monitoring /tmp/snap.lxd with inotify, placing the exploit and snap-confine on the same processor with sched_setaffinity(), and lowering the scheduling priority of snap-confine with setpriority() and sched_setscheduler(),” the researchers further explained.

In their examination of these flaws, Qualys researchers also discovered bugs in other libraries and related components used by Snap : including unauthorized disassembly in libmount of util-linux (CVE-2021-3996 and CVE-2021-3995); unexpected return value of realpath() of glibc (CVE-2021-3998); advanced off-by-one buffer overflow/underflow in getcwd() of glibc (CVE-2021-3999); uncontrolled recursion in systemd-tmpfiles of systemd (CVE-2021-3997).

These flaws were patched in these respective components earlier this year. Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its Linux editions, with the exception of the 16.04 ESM (Extended Security Maintenance) flaw still awaiting a patch. The severity of these two vulnerabilities is considered as very critical.

War in Ukraine: semiconductor manufacturing may be affected

ukraine war

The war in Ukraine led by Russia could create shortages of neon. This noble gas is one of those used in the manufacture of semiconductors. In 2022, Ukraine will supply 70% of the world’s neon.

According to TrendForce, a Taiwanese research firm, the Russian invasion of Ukraine could exacerbate the global semiconductor shortage.

Neon shortage expected due to war in Ukraine?

Today, Ukraine supplies 70% of the world’s neon. This noble gas, the second lightest in the world, is one of the rare gases used to manufacture semiconductors. This noble gas is mainly used in the lithography stages of semiconductor production. The war in Ukraine led by Russia could create neon shortages.

Analysts say that chipmakers are always one step ahead, but depending on how long the war lasts, semiconductor production could well be affected. In the short term, global semiconductor production lines are not interrupted.

However, the reduction in gas supply will bring supply and demand into play, which means that prices are likely to increase, and those increases will likely be passed on to consumers…

Another analyst firm, Techcet, points out that Russia is also a major supplier of neon to the world and that the country also produces a lot of palladium, a metal that is essential for making catalytic converters and many electronic components. Sanctions imposed by NATO members against Russia may cause suppliers to seek alternative sources of supply.

The global supply chain is still very fragile

In the long term, this war may actually increase the shortage of semiconductors. Indeed, Russia’s invasion of Ukraine comes at a time when demand for chips has been rising across the board throughout the Covid-19 pandemic.

On the enterprise side, demand for chips specializing in artificial intelligence is expected to grow by more than 50% per year over the next few years.

The numerous investments announced, such as Intel’s intention to build a huge semiconductor production site in Ohio for $20 billion, the $52 billion announced by the United States or the European Commission’s €43 billion plan, may not be enough.

Gina M. Raimondo, U.S. Secretary of Commerce, believes that “the semiconductor supply chain remains fragile and it is critical that Congress act quickly to pass the $52 billion in chip funding proposed by the President as soon as possible.”

In the U.S., the semiconductor inventory has gone from 40 days ahead in 2019 to less than 5 days ahead in 2022. Automobiles, medical devices, and energy management equipment are the most chip-intensive areas. A new neon supply problem due to the war in Ukraine could have a significant impact on the shortage.

The smartphone market reached $450 billion in 2021

smartphone market data

A record figure for a market dominated by Apple and the successful launch of the iPhone 13.

Counterpoint Research, a firm specializing in the study of technology markets, has published a report outlining the state of the smartphone market in 2021. Despite the pandemic and the shortage of electronic components, the sector has achieved the best performance in its history.

Average smartphone price increased in 2021

In fact, the global smartphone market revenue crossed the record mark of $448 billion in 2021, according to the latest study by Counterpoint’s Market Monitor service. This is a 7% increase from the previous year. The average selling price of smartphones has also increased by 12% compared to 2020 to reach $322.

One reason for this trend is the increasing number of smartphones supporting 5G being deployed on the market. Logically, their price is higher than that of devices supporting only 4G. 5G-enabled smartphones accounted for more than 40% of global shipments in 2021, up from 18% in 2020.

As Counterpoint Research explains, demand for high-end smartphones has also been growing over the past year. This is a direct result of the Covid-19 pandemic, as users have been looking for a better experience for education, entertainment or even work from home. The shortage of semiconductors is also impacting the price of smartphones as some manufacturers have increased the price of their devices in order to cope with it.

Apple dominates the smartphone market

Unsurprisingly, Apple dominated the market in 2021 with the very successful launch of its iPhone 13 range. The Apple brand saw its iPhone-related revenue increase by 35% in one year to $196 billion. In 2021, the iPhone accounted for 44% of total global smartphone revenue.

The Cupertino-based firm is followed by Samsung, whose revenue grew 11% from 2020 to 2021. In addition to launching two folding smartphones, Samsung has managed to increase its global market share in the mid- and high-end segments with the launch of the flagship Galaxy S series.

It is Xiaomi that occupies the third place with a considerable increase in revenue of 49%. This is due in part to the popularity of Xiaomi devices in India, the firm’s largest market, as well as increased shipments and market share of its mid-range and high-end smartphones, such as the Mi 11x series.

The two manufacturers behind Xiaomi are also Chinese. They are OPPO and vivo, which have seen their revenues increase by 47% and 43% respectively. It should be noted that Huawei, once the best seller of smartphones in the world, is not among the top five manufacturers, as a result of the U.S. sanctions against it, which have greatly affected it.