New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager

Cyber Security

Multiple security vulnerabilities have been disclosed in Canonical’s Snap software packaging and deployment system, the most critical of which can be exploited to escalate privilege to gain root privileges.

Snaps are self-contained application packages that are designed to work on operating systems that use the Linux kernel and can be installed using a tool called snapd.

Tracked as CVE-2021-44731, the issue concerns a privilege escalation flaw in the snap-confine function, a program used internally by snapd to construct the execution environment for snap applications. The shortcoming is rated 7.8 on the CVSS scoring system.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding the weakness could be abused to “obtain full root privileges on default installations of Ubuntu.”

Red Hat, in an independent advisory, described the issue as a “race condition” in the snap-confine component.

“A race condition in snap-confine exists when preparing a private mount namespace for a snap,” the company noted. “This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap’s private mount namespace and causing snap-confine to execute arbitrary code and hence privilege escalation.”

Additionally discovered by the cybersecurity firm are six other flaws –

  • CVE-2021-3995 – Unauthorized unmount in util-linux’s libmount
  • CVE-2021-3996 – Unauthorized unmount in util-linux’s libmount
  • CVE-2021-3997 – Uncontrolled recursion in systemd’s systemd-tmpfiles
  • CVE-2021-3998 – Unexpected return value from glibc’s realpath()
  • CVE-2021-3999 – Off-by-one buffer overflow/underflow in glibc’s getcwd()
  • CVE-2021-44730 – Hardlink attack in snap-confine’s sc_open_snapd_tool()

The vulnerability was reported to the Ubuntu security team on October 27, 2021, following which patches were released on February 17 as part of a coordinated disclosure process.

Qualys also pointed out that while the flaw isn’t remotely exploitable, an attacker that has logged in as an unprivileged user can “quickly” exploit the bug to gain root permissions, necessitating that the patches are applied as soon as possible to mitigate potential threats.