Canonical's  Snap Package Manager Has New Linux Privilege Escalation Flaw 
Reading Time: 2 minutes

Canonical’s  Snap Package Manager has a new Linux privilege escalation flaw that can grant root privileges. Snap Package Managers has self-contained application packages that can work on operating systems that use the Linux kernel and are installed using a tool called snapd.

The latest privilege escalation flaw in the snap-confine function, a program used internally by snapd to construct the execution environment for snap applications. It has been tracked as CVE-2021-44731 and rated 7.8 on the CVSS scoring system.

Bharat Jogi, director of vulnerability and threat research at Qualys, said, “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. 

He further added, the weakness could be abused to “obtain full root privileges on default installations of Ubuntu.”

Red Hat, in a note, said, “A race condition in snap-confine exists when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap’s private mount namespace and causing snap-confine to execute arbitrary code and hence privilege escalation.”

The cyber firm has also discovered 6 other flaws as follows:

  • CVE-2021-3995 – Unauthorized unmount in util-linux’s libmount
  • CVE-2021-3996 – Unauthorized unmount in util-linux’s libmount
  • CVE-2021-3997 – Uncontrolled recursion in systemd’s systemd-tmpfiles
  • CVE-2021-3998 – Unexpected return value from glibc’s realpath()
  • CVE-2021-3999 – Off-by-one buffer overflow/underflow in glibc’s getcwd()
  • CVE-2021-44730 – Hardlink attack in snap-confine’s sc_open_snapd_tool()

Ubuntu security team reported the vulnerabilities on October 27, 2021. Later on February 17, patches were released as part of a coordinated disclosure process.

According to Qualys, the flaw is not remotely exploitable and the attackers need to be logged in as an unprivileged user can “quickly” exploit the bug to gain root permissions. To mitigate potential threats it is important all users apply the released patches as soon as possible. 

Related Articles:
Hackers Circulate Malware by Hacking into Microsoft Teams Meetings
CISA Accuses Russia-backed Hackers of Stealing info from U.S. defense contractors
Saudi Women’s rights activist iPhone Revealed Political Hacking around the World