The Threat Research Unit at Qualys’ has revealed how a new Linux flaw tracked as (CVE-2022-3328), may be combined with two other, seemingly insignificant flaws to gain full root rights on a compromised system.
The Linux snap-confine function, a SUID-root program installed by default on Ubuntu, is where the vulnerability is located.
The snap-confine program is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.
Linux Flaw Let Attackers Gain Full Root Privilege
The newly discovered flaw, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system.
The issue specifically affects the ‘snap-confine’ tool that Snapd uses to build the environment in which Snap applications are executed.
“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.
“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974, and CVE-2022-41973), to obtain full root privileges”.
The CVE-2022-3328 weakness was chained by the researchers to two other flaws in Multipathd, a daemon responsible for looking for failed paths. Particularly, in several distributions’ default installations, including Ubuntu, Multipathd runs as root.
Two Vulnerabilities Impact Multipathd
- CVE-2022-41974 (CVSS 7.8)
The device-mapper-multipath, when used alone or in conjunction with CVE-2022-41973, enables local users to gain root access.
In this case, the access controls can be evaded and the multipath configuration can be changed by local users who have the ability to write to UNIX domain sockets.
This problem arises because using arithmetic ADD rather than bitwise OR causes a keyword to be incorrectly handled when repeated by an attacker. Local privilege escalation to root may result from this.
- CVE-2022-41973 (CVSS 7.0)
Together with CVE-2022-41974, the device-mapper-multipath enables local users to get root access. Further, due to improper symlink handling, local users with access to /dev/shm can modify symlinks in multipathd, which could result in controlled file writes outside of the /dev/shm directory. Hence, this could be used indirectly to elevate local privileges to the root.
Notably, any unprivileged user might get root access to a vulnerable device by chaining the Snapd vulnerability with the two Multipathd vulnerabilities.
“Qualys security researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu,” Qualys said.
On Ubuntu default installations, Qualys security researchers have confirmed the vulnerability, developed an exploit and got full root access.
Although the vulnerability cannot be used remotely, the cybersecurity company issues a warning that it is unsafe because it can be used by an unprivileged user.
Mastering Linux Security and Hardening
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question