Attackers Gain Root Access on Linux Systems via Dirty Sock Vulnerability
An article on ZedNet reads how a security researcher published proof-of-concept (PoC) code for a vulnerability impacting Ubuntu and other Linux distros.
Canonical, the parent company of Ubuntu operating system, has released a patch (USN-3887-1) for this issue yesterday, in advance of the published PoC.
Chris Moberly discovered the vulnerability at the end of January. Moberly is a security researcher for Shenanigans Labs and has worked with the Canonical team to have it fixed. According to him “the vulnerability, doesn’t allow hackers to break into vulnerable machines remotely, but once attackers get his hands on any unpatched system they can turn a simple intrusion into a bad hack and have complete control over the OS.
Technically, a Dirty Sock is a local privilege flaw that lets hackers create root-level accounts.
The actual vulnerability is in the Snapd daemon that comes as a default with all recent Ubuntu versions the, so this isn’t the problem with Ubuntu operating system itself. You see these flaws in some other Linux distros.
Developed and used by Canonical for Ubuntu apps- Snapd is the daemon that manages “snaps,” since 2014. Snapd lets users download and install apps in the .snap file format.
Moberly says that Snapd exposes a local REST API server that snap packages (and the official Ubuntu Snap Store) interact with during the installation of new apps (snaps).
The researcher says he identified a way to skirt the access control restrictions imposed on this API server and gain access to all API functions, including the ones restricted for the root user.
As shown in the Proof-of-concept code includes two example exploits that can be used to abuse this API and create new root-level accounts.
The malicious code to exploit this vulnerability can be run directly on an infected host or can be hidden inside malicious snap packages –some of which have been known to make their way on the Ubuntu Snap Store in the past.
Snapd versions 2.28 through 2.37 are all vulnerable to the Dirty Sock exploit. Moberly reported the issue to Canonical, Snapd’s developer, who released Snapd version 2.37.1 this week to address the issue.
At the same time, Canonical also released security updates for the Ubuntu Linux OS, for which the Snapd package was initially developed and where it’s included and enabled by default.
Other Linux distros that use Snapd also shipped security updates, such as Debian, Arch Linux, OpenSUSE, Solus, and Fedora.