A vulnerability found in the Snap package manager for Linux

Snap package manager for Linux

Discovered in the Snap package manager for Linux systems developed by Canonical, a flaw exposes users to privilege escalation. A risk that can lead to root access.

Researchers have discovered an easy-to-exploit vulnerability in the Snap universal application packaging and distribution system, developed for Ubuntu, but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code with root privileges, in other words, those of the highest administrative account in Linux.

This vulnerability, which carries the reference CVE-2021-44731, is one of the many flaws discovered in various Linux components by researchers from the security company Qualys during their research on Snap security. This latest vulnerability, like another vulnerability with the reference CVE-2021-44730, is located in snap-confine, the tool used to set up the sandboxes in which Snap applications run.

Snap is a package manager for Linux systems developed by Canonical, the company behind the Ubuntu desktop and server distribution. It allows the packaging and distribution of autonomous applications called “snaps” that run in a restricted container, offering a configurable security level. Because they are self-contained, Snap applications have no external dependencies, allowing them to run on multiple platforms or distributions.

In general, each major Linux distribution maintains its own pre-packaged software repository and software manager, e.g. DEB for Debian, PPA for Ubuntu, RPM for Fedora and Red Hat, Pacman for Arch Linux, and so on. All these systems get the desired package and all other dependencies as separate packages. On the other hand, snaps applications come with all necessary dependencies, making them universally deployable on all Linux systems that have the Snap service.

Extensive security audit already conducted

The Snap Manager is shipped by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It is used to distribute not only desktop applications, but also cloud and IoT applications. Snap containment – the isolation feature – has three levels of security, with Strict mode being used by most applications. In this mode, applications must request permission to access files, other processes or the network. This mode of operation is reminiscent of the application sandboxing and permissions model of mobile operating systems like Android. Since application sandboxing is one of Snap’s main features, any elevation of privilege vulnerability that allows users to escape this isolation and take control of the host system is therefore considered critical.

Qualys researchers have named their two snap-confine vulnerabilities “Oh Snap! More Lemmings,” because they were discovered after another elevation of privilege flaw identified in 2019 called Dirty Sock. Since Dirty Sock, Snap has undergone a thorough security audit by SuSE’s security team, and in general, the handler is programmed very defensively, using many kernel security features such as AppArmor profiles, seccomp filters and mount point namespaces. “We almost gave up on our audit after a few days,” Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine was extremely difficult (especially in a default Ubuntu installation).”

Other bugs also discovered

Nevertheless, the team decided to continue its audit after finding some minor bugs. This is how they ended up discovering the two privilege escalation vulnerabilities CVE-2021-44730 and CVE-2021-44731. CVE-2021-44730 allows a so-called “hardlink attack”, exploitable only in default configurations, when the kernel parameter fs.protected_hardlinks is equal to 0.

As for the CVE-2021-44731 vulnerability, it creates a race condition that can be exploited in the default installations of Ubuntu Desktop and the default installations of Ubuntu Server. And this race condition opens a lot of possibilities: Within the snap mount namespace (which can be accessed by snap-confine itself), it becomes possible to mount a non-sticky directory where anyone can write to /tmp, or mount any other part of the file system to /tmp,” explained the Qualys researchers. “This race condition can be reliably reversed by monitoring /tmp/snap.lxd with inotify, placing the exploit and snap-confine on the same processor with sched_setaffinity(), and lowering the scheduling priority of snap-confine with setpriority() and sched_setscheduler(),” the researchers further explained.

In their examination of these flaws, Qualys researchers also discovered bugs in other libraries and related components used by Snap : including unauthorized disassembly in libmount of util-linux (CVE-2021-3996 and CVE-2021-3995); unexpected return value of realpath() of glibc (CVE-2021-3998); advanced off-by-one buffer overflow/underflow in getcwd() of glibc (CVE-2021-3999); uncontrolled recursion in systemd-tmpfiles of systemd (CVE-2021-3997).

These flaws were patched in these respective components earlier this year. Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its Linux editions, with the exception of the 16.04 ESM (Extended Security Maintenance) flaw still awaiting a patch. The severity of these two vulnerabilities is considered as very critical.