Recent cybersecurity findings have unveiled a critical privilege escalation vulnerability in Ubuntu and several other Linux distributions, which poses a significant risk by potentially granting local attackers or malicious software root access to affected systems.
This vulnerability, referred to as “Dirty Sock,” is indexed as CVE-2019-7304. Discovered by security researcher Chris Moberly, the flaw was confidentially reported to Canonical—the company behind Ubuntu—just last month. The issue lies within the REST API of the snapd service, a versatile system used to package applications in a way that ensures compatibility across multiple Linux distributions without necessitating modifications.
Canonical’s snapd is pre-installed on all Ubuntu versions and is also utilized by other distributions like Debian, OpenSUSE, Arch Linux, Solus, and Fedora. Snap packages encapsulate applications and their dependencies, facilitating interoperability with various software environments from desktops to cloud deployments.
The snapd service functions by locally hosting a web server through a UNIX_AF socket, providing a set of RESTful APIs that enable it to perform various operating system tasks. These APIs come with access controls tailored to govern user permissions for specific operations, distinguishing between those available to regular users and those reserved for root access.
However, Moberly has identified a severe flaw in how the snapd access control mechanism verifies the UID associated with requests. This vulnerability allows attackers to overwrite the UID variable, thus gaining unauthorized access to privileged API functions, including those exclusive to root users.
As detailed in an advisory from Ubuntu, “Snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address while applying access control on its UNIX socket.” This mismanagement could enable local attackers to bypass security barriers, exploiting privileged socket APIs to elevate their access rights.
It is crucial to note that, while this exploit can facilitate local privilege escalation, it does not permit remote hackers to compromise a vulnerable machine directly. Moberly has also released two proof-of-concept (PoC) exploits on GitHub, demonstrating the attack vector, with one requiring an SSH connection and the other capable of sideloading a malicious snap by leveraging the vulnerable API.
Canonical has promptly addressed this vulnerability by releasing snapd version 2.37.1, which mitigates the identified risks. Major Linux distributions, including Ubuntu, have concurrently initiated updates to their affected packages.
Given the potential ramifications of this vulnerability, Linux users are strongly encouraged to upgrade their systems without delay to minimize exposure to this threat.
In this context, it is essential for businesses to be aware of the MITRE ATT&CK framework, particularly the privilege escalation tactics and techniques. Specifically, movements like exploiting local privilege escalation mechanisms illustrate how attackers can intensify their capabilities post-initial access. The urgency to apply the latest security patches cannot be overstated, as failure to do so may expose systems to further vulnerabilities.