SnapSocketParsing

Privilege escalation via snapd socket

Chris Moberly discovered that snapd in versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket (CVE-2019-7304). A local attacker could use this to access privileged socket APIs and obtain administrator privileges.

Classic Ubuntu systems with snaps installed (eg, Ubuntu 18.04 LTS and higher by default) automatically refresh the core snap and relaunch snapd from the updated core snap. 2.37.1 snaps were released to the stable channel on 2019-02-01 and therefore any classic Ubuntu systems with snaps installed will typically have upgraded to the fixed snapd 2.37.1 by the time this issue went public.

Ubuntu Core systems automatically refresh themselves and reboot whenever updates to snapd are available. 2.37.1 snaps were released to the stable channel on 2019-02-01 and therefore Ubuntu Core systems will typically have upgraded to the fixed snapd 2.37.1 by the time this issue went public.

Timeline

  • 2019 Jan 25: Bug #1813365 filed (private security)

  • 2019 Jan 26: initial triage performed and minimal patches submitted by snapd team in bug. Issue introduced in 2.28
  • 2019 Jan 29: PR 6443 and PR 6447 committed to public github, fixing the issue in passing. 2.37.1 is released and not affected. Vulnerability considered semi-public

  • 2019 Jan 29: Debian unstable updated to 2.37.1
  • 2019 Jan 29: OpenSUSE updated to include 2.37.1
  • 2019 Jan 29: 2.37.1 core snap uploaded to edge channel in Snap Store
  • 2019 Jan 29: 2.37.1 snapd snap uploaded to beta/edge channel in Snap Store
  • 2019 Jan 29: CRD requested with Arch, Debian, Fedora, OpenSUSE, Solus and Ubuntu
  • 2019 Jan 29: updates for Ubuntu stable releases prepared
  • 2019 Jan 30: Arch updated to include 2.37.1
  • 2019 Jan 30: 2.37.1 upload to proposed pocket for Ubuntu 14.04-19.04
  • 2019 Jan 31: Solus updated to 2.37.1
  • 2019 Feb 01: 2.37.1 SRU approved for Ubuntu 18.04 LTS
  • 2019 Feb 01: 2.37.1 core snap published to stable channel
  • 2019 Feb 09: Fedora updated to include 2.37.2
  • 2019 Feb 11: 2.37.1 SRU approved for Ubuntu 18.10
  • 2019 Feb 12: USN-3887-1 issued for Ubuntu

SecurityTeam/KnowledgeBase/SnapSocketParsing (last edited 2019-02-12 17:22:54 by jdstrand)