Hacker Exploits Snapd Flaw to Obtain Access on Linux System.

Ubuntu and most of its Linux distribution packages have been affected by a privilege-escalation vulnerability. This flaw allows malicious program or hackers to gain access and obtain root privileges and control over a targeted Linux system server.

This vulnerability, dubbed as Dirty Sock and further identified as CVE-2019-7304 was discovered by a researcher for Missing Link Security, Chris Moberly who disclosed the threat privately to Canonical, makers of Ubuntu recently.

Inspired from the Dirty Cow vulnerability, Moberly named the flaw Dirty Sock because it concerned sockets operation.

Moberly noted that the flaw resides in the REST API for Snapd devices and affected Snapd versions 2.28 through 2.37. 

It is a Linux packaging system that allows users to download and install apps in the .snap format without requiring much modification. It also includes instructions on how to run and interact with other Linux systems for Cloud, Desktop and Internet of things.

The Snapd package built by Canonical is default installed on all versions of Ubuntu, and used by other systems like Arch Linux, OpenSUSE, Fedora, Solus, and even Debian.

Snap locally hosts a web server (UNIX_AF socket) that provides a long list of RESTful APIs that help the service to perform tasks on the OS.

The APIs typically come with access control—in a bid to define user-level permission for performing specific actions. Albeit, some of the APIs are restricted to root users, with a few others accessed by low-privileged users.

Moberly noted a vulnerability in the way the access control mechanism run a check on the UID associated with the request made with the server. This allows hackers to overwrite the UID variable and access any API, obtaining administrator privileges.

Moberly, however, disclosed that the Dirty Sock flaw did not allow attackers to remotely hijack a Linux system since it is a local privilege escalation flaw.

As part of his report, Moberly released two Proofs of Concept (PoCs). While one of them sideloads a malicious snap by abusing the API, the other requires a SSH connection.

In its swift response, Canonical has released Snapd version 2.37.1 to tackle this vulnerability. Ubuntu and other Linux distribution have also released fixed versions to address the flaw on their packages.

Linux users worldwide are encouraged to install and upgrade their system as quickly as possible.

CloudWedge