Flaw Vulners Snap Package Manager for Linux

Researchers have discovered an easy-to-exploit vulnerability in the universal application packaging and delivery system Snap, developed for Ubuntu but available on multiple Linux distributions. The flaw allows a low-privilege user to execute malicious code with root privileges, in other words, those of the highest administrative account in Linux. This vulnerability, which carries the reference CVE-2021-44731, is one of many flaws discovered in various Linux components by researchers from the security company Qualys during their research on the security of Snap. This last vulnerability, like another vulnerability with the reference CVE-2021-44730, is located in snap-confine, the tool used to set up the sandboxes in which Snap applications run.

Snap is therefore a package manager for Linux systems developed by Canonical, the publisher behind the Ubuntu desktop and server distribution. It allows the packaging and distribution of self-contained applications called “snaps” that run in a restricted container, providing a configurable level of security. Because they are self-contained, Snap apps have no external dependencies, allowing them to work across multiple platforms or distributions. In general, each major Linux distribution maintains its own pre-packaged software repository and software manager, e.g. DEB for Debian, PPA for Ubuntu, RPM for Fedora and Red Hat, Pacman for Arch Linux, and so on. All of these systems fetch the desired package and all other dependencies as separate packages. On the other hand, snaps applications come with all the necessary dependencies, which makes them universally deployable on all Linux systems that have the Snap service.

An in-depth security audit already carried out

The Snap Manager comes standard on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It is used to distribute not only desktop applications, but also cloud and IoT applications. Snap containment – ​​the isolation feature – has three levels of security, with Strict mode used by most applications. In this mode, apps must request permission to access files, other processes, or the network. This mode of operation is reminiscent of the model of sandboxing and permissions of applications of mobile operating systems such as Android. Application sandboxing is one of Snap’s core features, so any elevation of privilege vulnerability that can evade this isolation and take control of the host system is considered critical.

The Qualys researchers dubbed their two snap-confine vulnerabilities “Oh Snap! More Lemmings”, as they were discovered after another privilege escalation flaw identified in 2019 and dubbed Dirty Sock. Since Dirty Sock, Snap has undergone a thorough security audit by the SuSE security team, and in general the handler is programmed very defensively, using many of the security features of the kernel like AppArmor profiles, seccomp filters, and mount point namespaces. “We almost gave up on our audit after a few days,” Qualys researchers said in their advisory, adding that “Discovering and exploiting a vulnerability in snap-confine was extremely difficult (especially in a per-install install). default of Ubuntu)”.

Other bugs also discovered

Nevertheless, the team decided to continue its audit after spotting some minor bugs. This is how they led to the discovery of the two privilege escalation vulnerabilities CVE-2021-44730 and CVE-2021-44731. CVE-2021-44730 allows a so-called “hardlink attack”, exploitable only in default configurations, when the fs.protected_hardlinks parameter of the kernel is equal to 0. As for the CVE-2021-44731 vulnerability, it creates a situation of competition (race condition) exploitable in default Ubuntu Desktop installations and default Ubuntu Server installations. And this race situation opens up a bunch of possibilities: Inside snap’s mount namespace (which can be accessed by snap-confine itself), it becomes possible to mount a non-sticky directory (” non-sticky”) and in which anyone can write to /tmp, or mount any other part of the filesystem to /tmp,” the Qualys researchers explained. “It is possible to reliably reverse this race condition by snooping /tmp/snap.lxd with inotify, putting the exploit and snap-confine on the same processor with sched_setaffinity(), and lowering the scheduling priority snap-confine with setpriority() and sched_setscheduler(),” the researchers further explained.

While investigating these flaws, Qualys researchers also discovered bugs in other libraries and related components used by Snap: including unauthorized unmounts in util-linux’s libmount (CVE-2021-3996 and CVE-2021 -3995); unexpected return value from glibc realpath() (CVE-2021-3998); advanced off-by-one buffer overflow/underflow in glibc getcwd() (CVE-2021-3999); an uncontrolled recursion into systemd’s systemd-tmpfiles (CVE-2021-3997). These flaws were fixed in these respective components earlier this year. Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its Linux editions except for the 16.04 Extended Security Maintenance (ESM) flaw which is still awaiting a fix. The severity of these two vulnerabilities is rated as very critical.