Oh, Snap! Security Holes Found in Linux Packaging System
Canonical‘s snap, like Red Hat‘s flatpaks, are container-based Linux software packaging and deployment programs. While snaps are most strongly associated with Ubuntu Linux, it’s used to distribute and install Linux programs over many Linux distributions. And, alas, the Qualys Research Team, has found several hard-to-find but nasty snap Linux security problems including the Oh Snap! More Lemmings Exploit.
Despite the funny name, these security holes are serious. In the worst-case scenario, this 7.8 Common Vulnerability Scoring System (CVSS) rated security hole can be used to obtain full root privileges on default Ubuntu installations. Ouch!
But, before getting worked up at Canonical, take a closer look. While discovering the snap vulnerabilities, Qualsys also found security problems you’ll find in all Linux distributions. These are CVE-2021-3996 and CVE-2021-3995 in util-linux (libmount and umount); CVE-2021-3998 and CVE-2021-3999 in the glibc (realpath() and getcwd()), and CVE-2021-3997 in systemd (systemd-tmpfiles).
The security researchers also stated, “Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu) because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs.” Despite all that, they found a pair of vulnerabilities.
Running in a Sandbox
Before getting into that though, to get you up to speed, snaps are self-contained applications running in a sandbox with mediated access to the host system. Unlike traditional Linux software managers, such as Debian DEB and Red Hat RPM, which install programs as packages along with all their other dependencies as separate packages, snaps come pre-bundled with their required dependencies. This makes it easy to deploy them on any Linux with the Snap service.
In recent years, this newer style of installing Linux applications has become very popular. While it’s best known in Linux desktop circles, snaps are also used on servers and, indeed, with complete Linux distributions such as the Internet of Things (IoT) Ubuntu Core distro.
The first problem was the snap daemon snapd didn’t properly validate the snap-confine binary’s location. Because of this, a hostile user could hard-link the binary to another location. This, in turn, meant a local attacker might be able to use this issue to execute other arbitrary binaries and escalate privileges.
The researchers also discovered that a race condition existed in the snapd snap-confine binary when preparing a private mount namespace for a snap. With this, a local attacker could gain root privileges by bind-mounting their own contents inside the snap’s private mount namespace. With that, they could make snap-confine execute arbitrary code. From there, it’s easy to start privilege escalation for an attacker to try to make it all the way to root.
There’s no remote way to directly exploit this. But, if an attacker can log in as an unprivileged user, the attacker could quickly use this vulnerability to gain root privileges.
Patch to the Rescue
Canonical has released a patch that fixes both security holes. The patch is available in the following supported Ubuntu releases: 21.10; 20.04, and 18.04. A simple system update will fix this nicely. The problem is also present in no longer supported Ubuntu distros such as 21.04 and 20.08. Here, you should update to a currently supported Ubuntu distro. Finally, there is no fix available yet for Ubuntu 16.04 ESM (Extended Security Maintenance), but it should be out shortly.
Given this vulnerability’s high level of danger, I highly recommend you patch your distributions as soon as possible. You’ll be glad you did.
A Canonical representative said, “As always, we are thankful to the great community we are part of, for finding and disclosing such security issues responsibly. We are also grateful to the professionals in our security and snap platform teams who acted quickly to mitigate the vulnerability and to the professionals in other organizations who worked timely on the respective issues disclosed. By now, thanks to automatic refreshes, most snap-distributed platform installations in the world have already been fixed via updates. Updates for other packaging systems are also available and rolling out.”