Skip to content

Search the site

Ubuntu vulnerabilities allow escalation to root: time to patch

LPEs give any user root, but...

Ubuntu has patched multiple vulnerabilities, some of which allow any unprivileged user to gain root privileges on the vulnerable host. Two, in snap-confine (a SUID-root program that is installed by default on Ubuntu) were reported by security firm Qualys, which admitted that finding and exploiting them had been "extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs."

Despite this, Ubuntu's ubiquity in cloud environments means that users should patch against these if they can; there's enough information in a series of posts for attackers to reverse engineer the patches and work out how to abuse the vulnerabilities. (Qualys says it has tested an exploit that lets the vulnerability be quickly exploited to gain root privileges by any unprivileged user, but will not be publishing that full exploit.)

The two primary vulnerabilities are a hardlink attack (this requires a non-standard configuration of Ubuntu server, in which a system admin has disabled the usual hardlink protections) and affecting Ubuntu desktop, a race-condition when creating mount namespace. This lets any user inject malicious libraries into the snap execution environment and have these get executed by snap-confine itself to gain root priveleges.

Qualy said its finding of these bugs was like playing the original Lemmings game, due to the complex series of moves required to slip past the defense-in-depth construction of snap-confine.

The two vulnerabilities published by Qualys are CVE-2021-44730 (Ubuntu: "snapd did not properly validate the location of the snap-confine binary. A local attacker could possibly use this issue to execute other arbitrary binaries and escalate privileges") and CVE-2021-44731 (Ubuntu: a race condition existed in the snapd snap-confine binary when preparing a private mount namespace for a snap. A local attacker could possibly use this issue to escalate privileges and execute arbitrary code"), while Canonical has also patched CVE-2021-3155, reported by Canonical's James Troup (Ubuntu: "snap did not properly manage the permissions for the snap directories. A local attacker could possibly use this issue to expose sensitive information" and CVE-2021-4120, reported by Canonical's Ian Johnson (Ubuntu: "snapd did not properly validate content interfaces and layout paths. A local attacker could possibly use this issue to inject arbitrary AppArmor policy rules, resulting in a bypass of intended access restrictions.") The bugs were first reported in November 2021.

Qualys has details on its exploitation of both here.

Ubuntu's security team has more details on their security podcast here

See also: The Optionis data breach is worse than you can imagine.