ghsa-p9v8-q5m4-pf46
Vulnerability from github
Published
2025-01-16 17:19
Modified
2025-01-16 17:19
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
CVE-2024-5138: snapd snapctl auth bypass
Details

Impact

A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.

Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.

Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.

Patches

Patch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 Release: Available from Snapd 2.64

Workarounds

Users may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the host-hunspell plug, which is of type mount-control. The interface can be disconnected with:

sh sudo snap disconnect firefox:host-hunspell

References

The original bug report was made on Launchpad: https://bugs.launchpad.net/snapd/+bug/2065077 CVE.org: https://www.cve.org/CVERecord?id=CVE-2024-5138 Canonical: https://ubuntu.com/security/CVE-2024-5138

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/snapcore/snapd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.51.6"
            },
            {
              "fixed": "2.63.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/snapcore/snapd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20240524114846-68ee9c6aa916"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-5138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T17:19:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using `snap run --shell firefox` followed by `snapctl mount`, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.\n\nUnprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.\n\nOther attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.\n\n### Patches\n\nPatch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14\nRelease: Available from Snapd 2.64\n\n### Workarounds\n\nUsers may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the `host-hunspell` plug, which is of type `mount-control`. The interface can be disconnected with:\n\n```sh\nsudo snap disconnect firefox:host-hunspell\n```\n\n### References\n\nThe original bug report was made on Launchpad: https://bugs.launchpad.net/snapd/+bug/2065077\nCVE.org: https://www.cve.org/CVERecord?id=CVE-2024-5138\nCanonical: https://ubuntu.com/security/CVE-2024-5138",
  "id": "GHSA-p9v8-q5m4-pf46",
  "modified": "2025-01-16T17:19:07Z",
  "published": "2025-01-16T17:19:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/snapd/security/advisories/GHSA-p9v8-q5m4-pf46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/snapd/+bug/2065077"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/snapd"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2024-5138"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-5138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CVE-2024-5138: snapd snapctl auth bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.