DecryptedTech

Thursday29 September 2022

Linux has a New Local Privilege Escalation Bug in Snap-Confine


Reading time is around minutes.

Linux has always had something of a mystique about it. Regardless of the distro (flavor) of Linux there simply certain misconception around Linux that are both entertaining and concerning. One of my all-time favorites was/is that it is a “hacker” OS. This fun little misunderstand was so bad at one point that it was part of a parent’s guide on how to tell if your child is a hacker. Nothing says out of touch like labelling an entire OS line as a “hacker” OS. The other side of the coin is the belief that it is secure out of the box. In simple terms, no OS is secure out of the box, all of them have vulnerabilities including serious ones that allow for complete compromise.

Multiple vulnerabilities were found inside a Linux function called snap-confine by researchers at Qualys. Snap-confine is the function that allows for installation and deployment of packages in Linux. These packages are called snaps and are not specific to any one flavor of Linux. It is a simple method for developers to deliver applications to a wide range of Linux distro directly. The snap service executes the packages in a sandbox that has controlled access to the host where they are executed. Snapd is the name of the tool that runs to effect this, and snap-confine is the name of the sandboxed environment where everything is executed.

qualys snap vulns

One of the vulnerabilities discovered by researchers at Qualys (CVE-2021-44731 named Oh Snap! More Lemmings) is of concern as it allows for a locally logged in unprivileged user to elevate their privileges and execute arbitrary code as root. This is not exactly what you want to hear when you are talking about a core function like this.

Qualys discovered the vulnerability back in October of 2021 and alerted multiple Linux developers as well as Openwall. Form there the public disclosure happened yesterday (02-17-2022) to coincide with the release of patches for the snap-confine vulnerability. Qualys, Ubuntu and Red Hat all advise users to patch as soon as possible. Although the vulnerability is not known to be remotely exploitable it does leave things rather open to compromise to anyone that can log into the target OS. We do wonder if some of the snap API calls could be hijacked to leverage this though).

It is always important to ensure that proper patching is done on systems in a timely manner. Even if it means downtime so that the patches can be properly applied. Leaving vulnerabilities like this open in an OS is just not an option anymore. Security and Operations teams need to work together and have buy in from management to ensure that their organizations are not left open because a vulnerability like this is left in an environment. We also want to stress again, there is no such thing as a secure operating system or cloud service out of the box. You need to take a proactive approach to ensuring security of your endpoints and environment.
Happy patching.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.