Qualys security researchers have uncovered several flaws in Canonical’s Snap software packaging and deployment system. Bharat Jogi, director of vulnerability and threat research at Qualys, explained that they discovered multiple defects in the snap-confine function on Linux operating systems (OS), “the most important of which can be exploited to escalate privilege to gain root privileges,” according to a blog post. He further said that Snap was created by Canonical for Linux-based operating systems.
Snaps and snapd, the utility for installing them, operate with various Linux distributions and allow upstream software developers to deliver their programs directly to customers. Snaps are isolated apps that work in a sandbox and have mediated access to the host system. According to Jogi, who noted that CVE-2021-44731 was the major vulnerability, Snap-confine is software used internally by snapd to build the execution environment for snap programs.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”
The Qualys Research Team worked with Red Hat, Canonical, and others to resolve the issue after uncovering the vulnerabilities and delivering an alert to Ubuntu in October. Canonical did not return requests for comment. Qualys detected six more vulnerabilities in addition to CVE-2021-44731. They gave a complete description of each problem and advised all users to apply the patch as soon as feasible.
There are no mitigations for CVE-2021-44731. While it isn’t remotely exploitable, an attacker may log in as an unprivileged user and swiftly exploit the vulnerability to get root capabilities, as per Jogi. According to Vulcan Cyber engineer Mike Parkin, Snap has grown relatively common in the Linux world, with many significant manufacturers delivering packages using it. While any attack that grants root access is dangerous, Parkin said that being a local exploit decreases the risk significantly and that fixing affected systems should be a top priority.