Canonical snapd Local Privilege Escalation Vulnerability

CVE Number – CVE-2019-7304

A vulnerability in the REST API for the Canonical snapd daemon could allow a local attacker to gain elevated privileges on a targeted system.

The vulnerability is due to improper access controls that are implemented by the affected software when parsing and validating remote socket addresses. An attacker could exploit this vulnerability by creating a file that contains uid=0 in its name, binding to that file as a socket, and then using it to initiate a connection to the snapd socket. The attacker could then overwrite the previous user identifier (UID) after the string is parsed and appear to the snapd daemon as a root user. A successful exploit could allow the attacker to create a new local user with root privileges using the API’s POST /v2/create-user function. 

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. 

Canonical has confirmed the vulnerability and released software updates.

Analysis

• To exploit this vulnerability, the attacker must have user-level access to the targeted system. This access requirement could reduce the likelihood of a successful exploit.This vulnerability is referred to as “Dirty_Sock”.

Safeguards

• Administrators are advised to apply the appropriate updates.
  
  Administrators are advised to allow only trusted users to access local systems.
  
  Administrators are advised to allow only privileged users to access administration or management systems.
  
  Administrators are advised to monitor critical systems.

Vendor Announcements

• Canonical has released a bug report at the following link: Bug 1813365

Fixed Software

• Canonical has released software updates at the following link: snapd 2.37.1