The vulnerability, named CVE-2021-44731, is part of a series of bugs that Qualys researchers discovered in several Linux components during their Snap security investigation. The latter, along with the other, called CVE-2021-44730, can be found in snap-confine, the tool responsible for creating sandboxes for the Snap app.

What is Snap?

Snap is a package manager for Linux developed by Canonical, behind the popular Ubuntu desktop and server distribution. It allows you to package and distribute standalone applications called “snaps” that run inside a restricted container, providing a configurable level of security.

Check also:

As standalone applications, Snap has no external dependencies, which allows it to be cross-platform and distributed across platforms. Traditionally, all major Linux distributions maintain their own repository and software manager. Debian has DEB, Ubuntu has PPA, Fedora and Red Hat has RPM, Arch Linux has Pacman, and so on. All these systems download the required package along with all other dependencies as separate packages. Snaps, on the other hand, are bundled with all the dependencies you need, making them globally deployable on all Linux systems equipped with Snap.

Snap ships by default on Ubuntu and many Linux distributions, and is available as an option on many other distributions, including the major. It is used to distribute not only desktop but also cloud and IoT applications.

Snap Confinement – or Quarantine – has three levels of security, with Strict Mode used by most apps. In this mode, apps must request access to files, other processes, or the network. This is no different from the sandboxing model of the app and permissions from mobile operating systems such as Android.

Since application sandboxing is one of Snap’s main features, any vulnerability that allows you to escape this isolation and take control of the host system is considered extremely dangerous.

Privilege escalation errors

Qualys researchers have dubbed their limited vulnerability “Oh Snap! More Lemmings” because it resembles another lightning bolt, discovered in 2019 called Dirty Sock. Since Dirty Sock, Snap has undergone extensive security audits by the SUSE security team and is generally programmed very defensively, taking advantage of several core security features. Such as AppArmor profiles, seccomp filters, and namespaces.

“We nearly abandoned our audit after a few days,” Qualys researchers said in their report, adding that “a limited vulnerability (especially in the default Ubuntu installation) was extremely difficult to detect and exploit.”

However, the team noticed some minor flaws and decided to move on. This resulted in the discovery of two privilege escalation vulnerabilities: CVE-2021-44730, a hardlink attack that can only be used in non-virtual configurations, i.e. when the kernel’s fs.protected_hardlinks is 0; and CVE-2021-44731, which is a race state that can be used on virtual Ubuntu Desktop installations and semi-virtual Ubuntu Server installations.

“This race case opens up a world of possibilities: Inside the mount namespace of snap (which we can enter via snap-confine itself), we can create a globally writable, non-stickable directory to /tmp, or we can mount any other directory that is part of the file system to / tmp ”- say Qualysa analysts. “We can reliably win this race state by observing /tmp/snap.lxd with inotify, installing our exploit and confining us to the same CPU with Sched_setaffinity(), and lowering the snap-cline scheduling priority with setpriority() and schedule_schedule.()” .

While investigating these flaws, Qualys researchers also discovered bugs in libraries and other related components that Snap uses: unauthorized mounts in libmount util-linuxa (CVE-2021-3996 and CVE-2021-3995); Unexpected return value from realpath() glibc (CVE-2021-3998); Buffer overflow/flow out via one in getcwd() glibc (CVE-2021-3999); Uncontrolled recursion in systemd-tmpfiles (CVE-2021-3997). These bugs were corrected in these components earlier this year.

Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most versions of Linux it supports, with the exception of ESM 16.04 (Extended Security Maintenance), which is still awaiting patches. Both vulnerabilities are rated very dangerous.

Source: CSO