CVE-2024-5138: CVE-2024-5138: snapd snapctl auth bypass
A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.
Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.
Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.
References
- bugs.launchpad.net/snapd/+bug/2065077
- github.com/advisories/GHSA-p9v8-q5m4-pf46
- github.com/canonical/snapd
- github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14
- github.com/canonical/snapd/security/advisories/GHSA-p9v8-q5m4-pf46
- nvd.nist.gov/vuln/detail/CVE-2024-5138
- ubuntu.com/security/CVE-2024-5138
- www.cve.org/CVERecord?id=CVE-2024-5138
Detect and mitigate CVE-2024-5138 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →