Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 495
Alerts This Week
Warning Icon 1 495

Ubuntu 21.10: USN-5292-1 Critical Vulnerabilities in snapd Access Control

ubuntu
Calendar Grey February 17, 2022
Dist Ubuntu Esm H88
Important security enhancements for snapd target several vulnerabilities affecting different versions of Ubuntu.
Several security issues were fixed in snapd.

Summary

Several security issues were fixed in snapd.

Software Description:

- snapd: Daemon and tooling that enable snap packages

Details:

James Troup discovered that snap did not properly manage the permissions for

the snap directories. A local attacker could possibly use this issue to expose

sensitive information. (CVE-2021-3155)

Ian Johnson discovered that snapd did not properly validate content interfaces

and layout paths. A local attacker could possibly use this issue to inject

arbitrary AppArmor policy rules, resulting in a bypass of intended access

restrictions. (CVE-2021-4120)

The Qualys Research Team discovered that snapd did not properly validate the

location of the snap-confine binary. A local attacker could possibly use this

issue to execute other arbitrary binaries and escalate privileges.

(CVE-2021-44730)

The Qualys Research Team discovered that a race condition existed in the snapd

snap-confine binary when preparing a private mount namespace for a snap. A

local attacker...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
  snap-confine                    2.54.3+21.10.1
  snapd                           2.54.3+21.10.1

Ubuntu 20.04 LTS:
  snap-confine                    2.54.3+20.04
  snapd                           2.54.3+20.04

Ubuntu 18.04 LTS:
  snap-confine                    2.54.3+18.04
  snapd                           2.54.3+18.04

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5292-1

CVE-2021-3155, CVE-2021-4120, CVE-2021-44730, CVE-2021-44731

Severity
critical
Lowest
Low
Medium
High
Critical

February 17, 2022

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.