Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

snapd linux privilege escalation exploit

[sc name=”ad_1″]

Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system.

Dubbed “Dirty_Sock” and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month.

The vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification.

Built by Canonical, snapd comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora.

Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software on various Linux systems for desktop, cloud, and Internet of Things.

Snap locally host a web server (UNIX_AF socket) to offer a list of RESTful APIs that help the service perform various actions on the operating system. These REST APIs come with access control to define user-level permission for specific tasks. Some powerful APIs are only available to root users while others can be accessed by low-privileged users.

According to Moberly, a flaw in the way the access control mechanism checks the UID associated with any request made to a server allows attackers to overwrite the UID variable and access any API function, including those that are restricted for the root user.

“Snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket,” Ubuntu explains in its advisory. “A local attacker could use this to access privileged socket APIs and obtain administrator privileges.”

However, it should be noted that since the Dirty Sock exploit leverages local privilege escalation flaw, it does not allow hackers to compromise a vulnerable Linux system remotely.

Moberly has also released two proofs-of-concept (PoC) exploits on GitHub today, one of which requires an SSH connection while the other is able to sideload a malicious snap by abusing this API.

Canonical has released snapd version Snapd 2.37.1 this week to address the vulnerability, and Ubuntu and other major Linux distributions have already rolled out a fixed version of their packages.

Linux users are highly recommended to upgrade their vulnerable installations as soon as possible.