From https://www.openwall.com/lists/oss-security/2022/02/17/2: ======================================================================== Summary ======================================================================== We recently audited snap-confine (a SUID-root program that is installed by default on Ubuntu) and discovered two vulnerabilities (two Local Privilege Escalations, from any user to root): CVE-2021-44730 and CVE-2021-44731. "Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system." (Wikipedia) "snap-confine is a program used internally by snapd to construct the execution environment for snap applications." (man snap-confine) Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs. Eventually, we discovered two vulnerabilities: - CVE-2021-44730, a hardlink attack that is exploitable in a non-default configuration only (when the kernel's fs.protected_hardlinks is 0); - CVE-2021-44731, a race condition that is exploitable in default installations of Ubuntu Desktop, and near-default installations of Ubuntu Server (the default installation, plus one of the "Featured Server Snaps" that are offered during the installation; for example, "heroku" or "microk8s"). While working on snap-confine, we also discovered several vulnerabilities in related packages and libraries: CVE-2021-3996 and CVE-2021-3995 in util-linux (libmount and umount), CVE-2021-3998 and CVE-2021-3999 in the glibc (realpath() and getcwd()), and CVE-2021-3997 in systemd (systemd-tmpfiles). We partially published these secondary vulnerabilities in January 2022, shortly after their patches became available: https://www.openwall.com/lists/oss-security/2022/01/10/2 https://www.openwall.com/lists/oss-security/2022/01/24/2 https://www.openwall.com/lists/oss-security/2022/01/24/4 If you enjoy puzzle games like Lemmings (which turns 31 this year!), then we hope that you will enjoy this advisory.
CVE-2021-3155 ( snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca CVE-2021-4120: snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46f127f94639382842e87b71f8edaadfe2ef0fd2 commit 46f127f94639382842e87b71f8edaadfe2ef0fd2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-02-18 18:19:14 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-02-18 18:20:33 +0000 app-containers/snapd: Remove vulnerable version Bug: https://bugs.gentoo.org/833584 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/snapd/Manifest | 3 - app-containers/snapd/snapd-2.53.4.ebuild | 180 ------------------------------- app-containers/snapd/snapd-2.54.1.ebuild | 180 ------------------------------- app-containers/snapd/snapd-2.54.2.ebuild | 180 ------------------------------- 4 files changed, 543 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b954000843bde5a248db161bbfd178ef58f1f06b commit b954000843bde5a248db161bbfd178ef58f1f06b Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-02-18 18:17:14 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-02-18 18:20:32 +0000 app-containers/snapd: Bump to version 2.54.3 Bug: https://bugs.gentoo.org/833584 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/snapd/Manifest | 1 + app-containers/snapd/snapd-2.54.3.ebuild | 180 +++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+)
Thanks Zac!