ROOT vulnerability in SNAP packages control tools

Qualys vulnerability ( cve-2022-3328 ) in the SNAP-Confine utility supplied with the SUID ROOT flag and the Snapd caused by the process for the formation executable environment for applications distributed in self -sufficient packages in SNAP format. Vulnerability allows the local unwilling user to achieve the performance of the ROOT code in the Ubuntu configuration by default. The problem is fixed in the issue of Snapd 2.57.6 . Packages updates released for all supported branches of ubuntu.

It is interesting that the vulnerability under consideration was introduced in the process of correcting a similar February vulnerability to Snap-Confine. Researchers managed to prepare an exploit that provides a ROOT access at Ubuntu Server 22.04, in which, in addition to the vulnerability in Snap-confine, two vulnerabilities in the process of multipathd (CVE-2022-41974, CVE-2022-41973) related to bypassing authority when transferring privileged commands and unsafe jobs with symbolic links.

The vulnerability to Snap-Confine is caused by the state of the race in the Must_MKDIR_And_and_open_with_Perms () Function, added to protect against the catalog replacement /tmp/snap.nap.nap_name to the symbolic link at the time after checking the owner, but before referring to the systemic call for BINDD-MUNT for BINDD-MUNT. It has catalogs for a package in Snap format. Added protection was reduced to the renaming of the catalog /tMp/snap. IGSNAP_NAME in another V /TMP catalog with a random name, if it exists and does not belong to the user Root.

When operating the operation of the catalog renaming /tMp/snap. IGSNAP_NAME, the researchers took advantage of the fact that Snap-confine also creates the /tMP/snap.rootfs_xxxxxx catalog to root the contents of the SNAP package. Part of “XXXXXX” in the name is chosen by chance using MKDTEMP (), but a package with the name “ROOTFS_XXXXXX” can be tested in the SC_INSTANCE_NAME_VALIDATET functions (i.e. the idea is that the name $ SNAP_NAME will take the value of “ROOTFS_XXXXXX” and then the renaming operation will lead To the catalog rewritten /tmp/snap.rootfs_xxxxxx with the root of SNAP).

/Media reports cited above.