A vulnerability affecting Snapd – a package installed by default in Ubuntu and used by other Linux distributions such as Debian, OpenSUSE, Arch Linux, Fedora and Solus – may allow a local attacker to obtain administrator privileges, i.e., root access and total control of the system.
Snapd is a service used to deliver, update and manage apps (in the form of snap packages) on Linux distributions.
“This service is installed automatically in Ubuntu and runs under the context of the ‘root’ user. Snapd is evolving into a vital component of the Ubuntu OS, particularly in the leaner spins like ‘Snappy Ubuntu Core’ for cloud and IoT,” noted Chris Moberly, the security researcher who discovered the flaw,
The Snap ecosystem includes a snaps store where developers can contribute and maintain ready-to-go packages.
Unfortunately, there have already been successful attempts to introduce malicious code in some of those packages.
About the vulnerability (CVE-2019-7304)
Moberly discovered CVE-2019-7304 (aka “Dirty Sock”) and privately disclosed it to Canonical, the maker of Ubuntu, in late January.
The flaw affects Snapd versions 2.28 through 2.37.
It is a local privilege escalation vulnerability, meaning that attackers must first gain remote access to the target machine and only then can use it to elevate their privileges.
“Snapd serves up a REST API attached to a local UNIX_AF socket. Access control to restricted API functions is accomplished by querying the UID associated with any connections made to that socket. User-controlled socket peer data can be affected to overwrite a UID variable during string parsing in a for-loop. This allows any user to access any API function. With access to the API, there are multiple methods to obtain root,” Moberly explained in a blog post.
He also made public two PoC exploits for it, which allow the flaw to be exploited on systems with an Internet connection and an SSH service, and on those without (via malicious, sideloaded snaps).
The flaw was fixed in Snapd version 2.37.1 and later, and Ubuntu and the rest of the aforementioned Linux distributions have already implemented a fixed version of the package.
Users are, of course, urged to upgrade their installations as soon as possible.