In a blog post, Qualys director of vulnerability and threat research, Bharat Jogi, explained that they found multiple vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be exploited to escalate privilege to gain root privileges."
Jogi added that Snap was developed by Canonical for operating systems that use the Linux kernel.
"The packages called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap-confine is a program used internally by snapd to construct the execution environment for snap applications," Jogi said, noting that the main issue was CVE-2021-44731.
"Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu."
After discovering the vulnerabilities and sending an advisory to Ubuntu in October, the Qualys Research Team worked with Canonical, Red Hat and others to address the issue.
In a statement to ZDNet, Ubuntu publisher Canonical said throughout the development of the snap platform, they tried to ensure that the subsystems it depends on are used safely.
They noted that thanks to automatic refreshes, most snap-distributed platform installations in the world have already been fixed via updates.
In addition to CVE-2021-44731, Qualys discovered six other vulnerabilities. They provided a detailed breakdown of each issue and urged all users to patch as soon as possible.
"Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue. In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs," a Canonical spokesperson said.
"As always, we are thankful to the great community we are part of, for finding and disclosing such security issues responsibly. We are also grateful to the professionals in our security and snap platform teams who acted quickly to mitigate the vulnerability and to the professionals in other organizations who worked timely on the respective issues disclosed. Updates for other packaging systems are also available and rolling out."
There are no mitigations for CVE-2021-44731, and Jogi noted that while the vulnerability is not remotely exploitable, an attacker can log in as any unprivileged user. The vulnerability can be quickly exploited to gain root privileges.
Vulcan Cyber engineer Mike Parkin said Snap has become reasonably widespread in the Linux world, with a number of major vendors distributing packages using it.
While any exploit that can give root access is problematic, being a local exploit somewhat reduces the risk; Parkin added that patching vulnerable systems should be a priority.
"This is both very widespread and also very dangerous, given that it enables a cybercriminal to escalate their privileges to gain root access. With that access threat, actors can distribute malware, plant deepfakes, move laterally within corporate networks, and many other forms of being compromised," said Viakoo CEO Bud Broomhead.
"Linux is widely used as the embedded operating system for IoT devices, which typically there are 5-10X more of than traditional IT devices in an organization. Currently, there is no mitigation for this vulnerability, but it will likely remain exploitable for some time when one becomes available. Unlike IT systems, IoT devices often lack automated methods of remediating vulnerabilities, giving the potential for this vulnerability to be present for a long time."