A newly disclosed vulnerability in a Linux program can be exploited for local privilege escalation — and ultimately to acquire root privileges, researchers at cybersecurity vendor Qualys said today.

The vulnerability (CVE-2021-44731) — which affects Canonical’s Snap system for packaging and deploying software — is not remotely exploitable. However, “if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges,” the researchers said in a blog post.

Snap is used for Linux-based operating systems such as Ubuntu, and its packages are referred to as “snaps.” The snap platform “has been developed to bring secure application installations to Ubuntu and other Linux distributions,” Canonical said in a statement provided to VentureBeat on Thursday.

Via a recent XDA Developers post, “Snap applications are more portable than traditional Linux software, and most of them are containerized to prevent some common security issues.”

The tool for using snaps, meanwhile, is called snapd — and the tool works “across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users,” Qualys researchers said in the post.

Exploit threat

Snaps run in a sandbox with “mediated access to the host system,” the researchers said. The vulnerability affects Snap-confine, a program utilized by snapd to construct the execution environment used by snap applications, the Qualys post says.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” the researchers said. “Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”

The vulnerability was discovered by the Qualys researchers in October. They reported it to Canonical and Red Hat, leading up to a coordinated announcement with vendor and open-source distributions today.

Snap has become “reasonably widespread” in the Linux world, as numerous major vendors distribute packages using it, said Mike Parkin, engineer at Vulcan Cyber.

“While any exploit that can give root access is problematic, being a local exploit reduces the risk somewhat,” Parkin said in an email. “But even considering this is a local exploit, patching vulnerable systems should be a priority.”

As of Thursday afternoon, “thanks to automatic refreshes, most snap-distributed platform installations in the world have already been fixed via updates,” Canonical said in its statement Thursday. “Updates for other packaging systems are also available and rolling out.”

Throughout the development of the snap platform, “we have taken great care to ensure that the subsystems it depends on are used safely. Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes,” the statement from Canonical said. “We are thankful to the great community we are part of, for finding and disclosing such security issues responsibly.”

Open source vulnerabilities

The disclosure follows last month’s report by Qualys researchers about the vulnerability in a widely installed Linux program, polkit’s pkexec. The researchers dubbed the vulnerability “PwnKit,” and said it can be easily exploited for local privilege escalation and to acquire root privileges.

The disclosure of the vulnerability also comes amid growing concerns about the prevalence of insecure software supply chains. High-profile incidents have included the SolarWinds and Kaseya breaches, while overall attacks involving software supply chains surged by more than 300% in 2021, Aqua Security reported.

Meanwhile, open source vulnerabilities such as the widespread flaws in the Apache Log4j logging library and PwnKit have underscored the issue. The Open Source Security Foundation recently announced a new project designed to secure the software supply chain, backed by $5 million from Microsoft and Google.