February 18, 2022

Episode 149

23 minutes

Overview

This week Qualys dominate the week in security updates, disclosing details

of 4 different SUID-root vulnerabilities, including Oh Snap! More Lemmings

(Local Privilege Escalation in snap-confine), plus we look at updates for

Firefox, cryptsetup and more.

This week in Ubuntu Security Updates

23 unique CVEs addressed

[USN-5279-1] util-linux vulnerabilities [00:59]

2 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2021-3996

CVE-2021-3995

First 2 of number of vulns discovered by Qualys this week

umount and fusermount are both setuid root

An unprivileged user is allowed to unmount a FUSE filesystem which is

already mounted and which they own

libumount parses /proc/self/mountinfo to validate if is a FUSE fs

When a mount entry is deleted, the kernel appends (deleted) to the name

of it in the mount table

libumount strips this off when parsing mountinfo to get the actual path

so a user could mount a FUSE filesystem at a mountpoint with (deleted) in

the name - and then libumount will strip this off and umount the original

path - ie. could mount at /tmp/ (deleted) then call umount /tmp and this

will succeed

Fixed to drop support for this (deleted) suffix as this has not been used

by the kernel since December 2014

Also when checking the UID of the user (as the owner of the filesystem),

would do a string comparison on the UID of the user against the UID of

the filesystem - but would use the length of the users UID to do this

comparison - which means a user UID of 1000 would then be seen to match

against a file-systems UID of 10000 etc - so would allow a user to umount

filesystems owned by certain other users

Fixed to compare as a numerical value rather than strings

[USN-5280-1] Speex vulnerability [04:41]

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2020-23903

Divide by zero from a crafted WAV file - trap - crash - DoS

[USN-5284-1] Firefox vulnerabilities [04:56]

9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2022-22757

CVE-2022-22756

CVE-2022-22754

CVE-2022-22764

CVE-2022-22761

CVE-2022-22760

CVE-2022-22759

CVE-2022-22755

CVE-2022-0511

97.0

Extensions could bypass update prompt and auto-update itself with extra

permissions

Drag and drop of a crafted image would make the resulting file

executable - could possibly use as RCE

WebDriver (remote control interface for firefox) failed to validate

Host/Origin headers - if visit malicious website with WebDriver enabled

could then allow attacker to connect back to the user’s browser and take

control of it

[USN-5286-1] cryptsetup vulnerability [06:20]

1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2021-4122

Failed to properly validate the device header - local attacker with

physical access could modify this to trick cryptsetup to reencrypt the

device on next mount - but reencrypt it with no encryption enabled -

ie. decrypt it in place

Fixed by disabling the online reencryption feature

[USN-5267-3] Linux kernel (Raspberry Pi) vulnerabilities [07:11]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-42739

CVE-2021-3752

CVE-2021-3640

Episode 148 - 2 vulns in bluetooth and one in Firewire subsystems - local

attacker crash / RCE - corresponding fixes for RPi on 20.04 or 18.04 with

HWE

[USN-5291-1] libarchive vulnerabilities [07:36]

3 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2021-36976

CVE-2021-31566

CVE-2021-23177

2 issues in symlink handling - would follow symlinks when changing

modes/times/ACLs on files when extracting a crafted archive - could allow

an attacker to modify these attributes on files outside of the archive

Memory corruption when parsing RAR archive - DoS/RCE

[USN-5292-1] snapd vulnerabilities [08:27]

4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2021-44731

CVE-2021-44730

CVE-2021-4120

CVE-2021-3155

More Qualys issues in setuid root binary - snap-confine - plus 2 issues

discovered by Canonical - 1 from Ian Johnson of the snapd team, and 1

from James Troup of the BootStack team

Oh Snap! More Lemmings (Local Privilege Escalation in snap-confine) [09:01]

https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt

Qualys appear to have been auditing various SUID-root binaries - recently

looked at snap-confine - low-level application, written in C, and used by

snapd to setup the execution environment for a snap application - as the

name suggests, it setups up the confinement for an application, creating

a separate mount namespace with own private /tmp and /dev/pts - as well

as any other mounts through content interfaces or layouts etc defined by

the snap, plus loading of seccomp syscall filters for the resulting snap

As such requires root privileges, hence is SUID-root - high value target

Very defensively programmed itself, plus is confined by seccomp and

AppArmor itself

Nonetheless, even the most carefully programmed software can have issues

2 vulns:

hardlink attack (requires a non-standard configuration where system

admin disabled usual hardlink protections)

race-condition when creating mount namespace - allows an unprivileged

user to inject their own malicious libraries into the snap execution

environment and have these get executed by snap-confine itself to gain

root privesc

Qualys liken these vulnerabilities (or the process to finding them) as

like playing the original Lemmings game, due to the complex nature of

steps required to thwart the defense-in-depth construction of

snap-confine

Not the first time snap-confine has been audited - SuSE Security Team

previously audited it in 2019 and found a couple issues, in particular in

some of the same code sections as these

Back to these vulns:

When creating or deleting the mount namespace, snap-confine uses 2

helper programs written in Go - these are installed in the same

location as snap-confine, so it looks them up from the same directory

where it is running itself - however, since (when protected_hardlinks

is disabled) an unprivileged user could hardlink snap-confine into say

/tmp they could also then place their own malicious binary in place of

these helpers and have that get executed by snap-confine instead

NOTE: protected_hardlinks is enabled by default on almost all distros

so unless this has been changed by the system admin, this is unable to

be exploited in reality

Other vuln is a race condition when creating the private mount

namespace for the snap - snap-confine creates a per-snap private

directory under /tmp - this is a known “dangerous” thing to do since

/tmp is world writable so users could easily try and symlink their own

contents into it etc

snap-confine is very careful then to try and ensure this directory is

owned by root and to then avoid following symlinks when traversing this

hierarchy etc

However, when then doing the actual mount() syscall to start setting up

the mount namespace inside this directory, the absolute path of this

directory is given to mount() (since sadly there is no mountat() or

similar syscall) - which then does follow symlinks allowing a user who

an race the creation of this directory with snap-confine to be able to

take control of the contents of it, and hence inject their own

libraries and configuration such that a malicious library can be

preloaded into a subsequent execution of snap-confine - and since

snap-confine will then still run as root, this allows to get root code

execution

In both cases, the use of AppArmor by default tries to isolate

snap-confine - and snap-confine is programmed defensively such that it

will refuse to execute if it is not confined by AppArmor - however, the

checks for this were not strict enough, and Qualys found they could use

aa-exec to execute snap-confine under a separate, more permissive

AppArmor profile to escape these restrictions

Fixes for these issues were numerous - to both add additional hardening

to snap-confine so that it would validate the AppArmor profile it

executes under is the one that is expected - plus the actual fixes for

the vulnerabilities themselves, by checking snap-confine is located where

it expects to be (so it doesn’t execute other arbitrary helpers), and to

also when setting up the mount namespace directory hierarchy, forcefully

try and move aside any existing parts that are not root owned so it can

create them afresh with known ownership/permissions so that unprivileged

users can’t trick it with their own contents

As mentioned, also includes fixes for 2 other issues identified by

Canonical - open permissions on snap per-user HOME/private storage allows

other users to potentially access private info stored by snaps

Plus a more sinister issue in the handling of AppArmor rules for snaps

A snap can define a content interface - way of making files available to

other snaps - snaps can then connect to this to access that content -

often used to implement plugins or other such concepts between snaps

When creating an AppArmor profile for a snap, adds additional rules then

to allow access to these paths within the other snap

Included code to validate that a snap wasn’t trying to expose content it

shouldn’t BUT didn’t validate that these were just paths and nothing else

Since AppArmor policy is human-readable text files, these get generated

by snapd by adding the content interface paths into the policy

Content interface path could then contain additional AppArmor policy

directives and these would get included in the generated profile

Since any snap can specify content interfaces, and they get

auto-connected by snaps from the same publisher, would then just have to

get a user to install 2 malicious snaps from the same publisher where one

declares a malicious interface like this and then the snaps will be able

to escape the usual strict confinement provided by AppArmor

Fixed in snapd to both validate paths more correctly, and to also quote

all file-system paths in the generated AppArmor policies so that

arbitrary rules cannot be specified

Shows that the defence-in-depth approach is still worthwhile - Qualys

mentions they nearly gave up looking for vulns and then on trying to

exploit them due to just how hard the task appeared given all the

defensive measures they would have to overcome

Want to thank Qualys for all their efforts in disclosing vulns and in

providing feedback on proposed fixes etc, and the snapd team for all

their help on finding and remediating the vulnerability with content

interface / layout paths, plus on preparing and delivering this update

Has been in the works for a while, glad it is finally out

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings