Skip to main content

On 17th Feb 2022, the Qualys Research Team published a post that says the research team has identified multiple vulnerabilities in the snap-confine function, a program used in Snap package manager to construct the execution environment for snap applications. The team says the vulnerability, tracking as CVE-2021-44731, is the most critical of all in the list, which can be abused to perform privilege escalation attacks and obtain full root privileges on the default installation of Debian/Ubuntu Linux distributions. The flaw has got a score of 7.8 in the CVSS scoring system and is categorized as High. It is important to Fix the CVE-2021-44731 vulnerability. We have created this post to let you know how to fix the CVE-2021-44731 (Oh Snap!) vulnerability- A privilege escalation vulnerability in the Snap package manager.

What Are Snap Package Manager, Snaps, Snapd, And Snap-confine?

Snap package manager is a well knows software packaging and development system developed for an operating system that uses Linux kernel. The ultimate goal behind creating the Snap package manager is to reduce the dependency issues commonly seen in package installations in Linux distributions by creating application snaps including the dependent libraries. In Snap package manager system, the created application packages are called snaps, and the tool for using those application snaps is called snapd. Snaps are self-contained applications with all the required dependency packages to run the application. Snaps runs the applications in a sandbox with mediated access to the host system. Snap-confine is a program in snapd used to construct the execution environment for snap applications.

Snap package manager was created by Canocical, a UK-based private computer software company. Initially, Snap was developed for cloud applications, later it was introduced to IoT devices and desktop Linux distributions, and now for applications too.

“A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the Snap’s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation.”

Associated CVE IDCVE-2021-44731
DescriptionA Privilege Escalation Vulnerability in Snap Package Manager
Associated ZDI ID
CVSS Score7.8 High
Impact Score6.0
Exploitability Score1.1
Attack Vector (AV)Local
Attack Complexity (AC)High
Privilege Required (PR)Low
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of Other Vulnerabilities Disclosed With Snap-Confine Local Privilege Escalation Vulnerability:

There are other six vulnerabilities disclosed in Snap. Here you can see the list of the vulnerabilities:

CVE IDBase ScoreShort DescriptionCVSS Vector
CVE-2021-447307.8 HighHardlink attack in snap-confine’s sc_open_snapd_tool()CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2021-39965.5 MediumUnauthorized unmount in util-linux’s libmountCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-39954.7 LowUnauthorized unmount in util-linux’s libmountCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-39985.9 MediumUnexpected return value from glibc’s realpath()CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-39997.4 HighOff-by-one buffer overflow/underflow in glibc’s getcwd()CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-39975.5 MediumUncontrolled recursion in systemd’s systemd-tmpfilesCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

PoC Of CVE-2021-44731 (Oh Snap!)- A Privilege Escalation Vulnerability In Snap Package Manager

Qualys confirmed that their research team has independently verified the vulnerability by developing an exploit for the CVE-2021-44731 vulnerability and obtaining full root privileges on default installations of Ubuntu. However, Qualys also confirmed that they hadn’t published the exploit code on public forums to avoid exploitation of the flaw. They just published a video note that shows the evidence of the Privilege Escalation Vulnerability in Snap Package Manager.

See Also How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System

How To Detect CVE-2021-44731 (Oh Snap!)?

There is no such code or script to detect the CVE-2021-44731 vulnerability. Either you should use Vulnerability scanning tools like Qualys VMDR or check the version of Snap package installed on your Linux servers.

Use the following command on the respective Linux distributions to check the installed version of Snapd. If you see the snapd version less than or equal to v2.54.2, then that Linux server is vulnerable to the Snap-Confine Local Privilege Escalation Vulnerability.

Linux DistributionCommand to check the Snapd version
Ubuntu / Debian Linux Mintsudo apt list snapdORsudo apt info snapdORsudo dpkg -l snapd
Red Hat Enterprise / Cent OSsudo yum list snapdORsudo yum info snapdORrpm -qi snapd
Fedorasudo dnf list snapdORsudo dnf info snapd
Arch Linuxpacman -Qi snapd
Alpine Linuxapk info snapd
SUSE Linuxzypper se -s snapdORrpm -qi snapd

How To Fix CVE-2021-44731- A Privilege Escalation Vulnerability In Snap Package Manager?

Qualys security team reported the vulnerability to the both Vendor and Open Source distributions on October 27, 2021. In response to that, Ubuntu and other Linux distributions have released the patches on February 17 as part of a coordinated disclosure process. 

Snap v2.54.2 or lesser is vulnerable to the Snap-Confine Local Privilege Escalation Vulnerability. You should upgrade to v2.54.3 and above to fix the CVE-2021-44731 vulnerability.

How to Fix the CVE-2021-44731- A Privilege Escalation Vulnerability in Snap Package Manager?

  1. Verify the snapd version

    Run this command to check the snapd version on a Ubuntu server.

    $ sudo apt list snapd

    In this case, we have snapd v2.51.1 which can be upgradable to v2.54.3.

    check snap version
  2. Update the repositoryRun this command to update the repository.

    $ sudo apt update

    Update the repository in Ubuntu
  3. Upgrade the snapdRun this command to upgrade only snapd

    $ sudo apt install snapd=2.54.3+20.04.1ubuntu0.1


    Run this command to upgrade all the packages. We recommend this approach as it is good to keep all the packages up to date.

    $ sudo apt upgrade

    Upgrade the snapd
  4. Check the snapd versionCheck the snapd version as shone in the first step. Run this command to check the snapd version on a Ubuntu server.

    $ sudo apt list snapd

    How to Fix CVE-2021-44731- Snap-Confine Local Privilege Escalation Vulnerability

Leave a Reply