A newly discovered Snap flaw allows a low-privileged user to gain root access.
Researchers found an easy-to-exploit vulnerability in Snap, a universal application packaging and distribution system developed for Ubuntu but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code as root, the highest administrative account on Linux.
Snap privilege escalation
The vulnerability, tracked as CVE-2021-44731, is part of a series of flaws that researchers from security firm Qualys found in various Linux components while investigating the security of Snap. This latest one, along with a separate issue tracked as CVE-2021-44730, are in snap-confine, the tool responsible for setting up Snap application sandboxes.
What is Snap?
Snap is a package manager for Linux systems that was developed by Canonical, the company behind the popular Ubuntu desktop and server distribution. It allows the packaging and distribution of self-contained applications called “snaps” that run inside a restricted container, providing a configurable level of security.
By being self-contained, Snap applications don’t have external dependencies, which allows them to work cross-platform or cross-distribution. Traditionally, each major Linux distribution maintains its own pre-packaged software repository and software manager. Debian has DEB, Ubuntu has PPA, Fedora and Red Hat have RPM, Arch Linux has Pacman, and so on. All these systems pull in the desired package along with all other dependencies as separate packages. Snaps, on the other hand, come bundled with all the needed dependencies, making them universally deployable on all Linux systems that have the Snap service.
Snap ships by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It’s used to distribute not only desktop applications, but also cloud and IoT ones.
Snap confinement — the isolation feature — has three levels of security with the Strict mode being used by most applications. In this mode, applications need to request access to access files, other processes, or the network. This is not unlike the application sandboxing and permissions model from mobile operating systems like Android.
Since application sandboxing is one of the core features of Snap, any privilege escalation vulnerability that allows escaping that isolation and taking control of the host system is considered very serious.
Privilege escalation flaws
The Qualys researchers have dubbed their two snap-confine vulnerabilities as “Oh Snap! More Lemmings” because they follow another privilege escalation flaw discovered in Snap in 2019 and dubbed Dirty Sock. Since Dirty Sock, Snap has seen a thorough security audit by the SUSE security team and in general is programmed very defensively, making use of many kernel security features such as AppArmor profiles, seccomp filters and mount namespaces.
“We almost abandoned our audit after a few days,” the Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu.
Nevertheless, the team spotted a few minor bugs and decided to push on. This resulted in the discovery of two privilege escalation vulnerabilities: CVE-2021-44730, a hardlink attack that’s only exploitable in non-default configurations, namely when the kernel’s fs.protected_hardlinks is 0; and CVE-2021-44731, a race condition that is exploitable in default installations of Ubuntu Desktop and near-default installations of Ubuntu Server.
“This race condition opens up a world of possibilities: Inside the snap’s mount namespace (which we can enter through snap-confine itself), we can bind-mount a world-writable, non-sticky directory onto /tmp, or we can bind-mount any other part of the filesystem onto /tmp,” the Qualys researchers said. “We can reliably win this race condition, by monitoring /tmp/snap.lxd with inotify, by pinning our exploit and snap-confine to the same CPU with sched_setaffinity(), and by lowering snap-confine’s scheduling priority with setpriority() and sched_setscheduler().”
In the process of investigating these flaws, the Qualys researchers have also discovered bugs in other related libraries and components that Snap uses: Unauthorized unmounts in util-linux’s libmount (CVE-2021-3996 and CVE-2021-3995); unexpected return value from glibc’s realpath() (CVE-2021-3998); off-by-one buffer overflow/underflow in glibc’s getcwd() (CVE-2021-3999); Uncontrolled recursion in systemd’s systemd-tmpfiles (CVE-2021-3997). These flaws were patched in those respective components earlier this year.
Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its supported Linux editions, except for 16.04 ESM (Extended Security Maintenance) which is still awaiting a fix. Both vulnerabilities are rated as high severity.