Ubuntu and other Linux distros at risk from Oh Snap! More Lemmings security exploit

Security researchers from Qualys have issued a warning about a Local Privilege Escalation Vulnerability Discovered in the snap-confine function of Canonical's Snap package manager.

Known as Oh Snap! More Lemmings and tracked as CVE-2021-44731, the collection of security flaws can be exploited to gain root privileges.

See also:

• Microsoft is testing an annoying desktop watermark if you install Windows 11 on unsupported hardware
• You may have just installed Windows 11, but Microsoft could be readying Windows 12
• Microsoft has updated the data wiping tool in Windows 10 and Windows 11... and now it leaves behind data

Introducing its findings, the Qualys Research Team says that it "has discovered multiple vulnerabilities in the snap-confine function on Linux operating systems, the most important of which can be exploited to escalate privilege to gain root privileges". The security firm goes on to say:

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.

In all, there are seven vulnerabilities:

CVE-2021-44731 -- Race condition in snap-confine's setup_private_mount()

CVE-2021-44730 -- Hardlink attack in snap-confine's sc_open_snapd_tool()

CVE-2021-3996 -- Unauthorized unmount in util-linux's libmount

CVE-2021-3995 -- Unauthorized unmount in util-linux’s libmount

CVE-2021-3998 -- Unexpected return value from glibc's realpath()

CVE-2021-3999 -- Off-by-one buffer overflow/underflow in glibc' s getcwd()

CVE-2021-3997 -- Uncontrolled recursion in systemd’s systemd-tmpfiles.

A video shows a proof-of-concept for the exploit:

Qualys shares details of the Vulnerability Disclosure Timeline:

• 2021-10-27: We sent our advisory and proofs-of-concepts to security@ubuntu.
• 2021-11-10: We sent our advisory and proofs-of-concepts (without the snap-confine vulnerabilities) to secalert@redhat.
• 2021-12-29: We sent a write-up and the patch for the systemd vulnerability to linux-distros@openwall.
• 2022-01-10: We published our write-up on the systemd vulnerability (https://www.openwall.com/lists/oss-security/2022/01/10/2).
• 2022-01-12: Red Hat filed the glibc vulnerabilities upstream (https://sourceware.org/bugzilla/show_bug.cgi?id=28769 and https://sourceware.org/bugzilla/show_bug.cgi?id=28770).
• 2022-01-20: We sent a write-up and the patches for the util-linux vulnerabilities to linux-distros@openwall.
• 2022-01-24: We published our write-up on the util-linux vulnerabilities (https://www.openwall.com/lists/oss-security/2022/01/24/2).
• 2022-01-24: We published our write-up on the glibc vulnerabilities (https://www.openwall.com/lists/oss-security/2022/01/24/4).
• 2022-02-03: We sent our advisory and Ubuntu sent their patches for the snap-confine vulnerabilities to linux-distros@openwall.
• 2022-02-17: Coordinated Release Date (5:00 PM UTC) for the snap-confine vulnerabilities.

Full technical details can be found in Qualys' security advisory here.

Patches have been produced for some distros, and more are on the way, so check the usual sources for updates.