Vulnerabilities > CVE-2019-7303 - Unspecified vulnerability in Canonical Snapd

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
canonical
nessus
exploit available
NVD
Published: 2019-04-23
Updated: 2024-11-21

Summary

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4.

Vulnerable Configurations

Part Description Count
Application
Canonical
177
OS
Canonical
4

Exploit-Db

idEDB-ID:46594
last seen2019-03-22
modified2019-03-22
published2019-03-22
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46594
titlesnap - seccomp BBlacklist for TIOCSTI can be Circumvented

Nessus

NASL familyUbuntu Local Security Checks
NASL idUBUNTU_USN-3917-1.NASL
descriptionThe snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. Jann Horn discovered that this restriction could be circumvented on 64 bit architectures. A malicious snap could exploit this to bypass intended access restrictions to insert characters into the terminal
last seen2020-06-01
modified2020-06-02
plugin id123077
published2019-03-25
reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/123077
titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : snapd vulnerability (USN-3917-1)
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3917-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(123077);
  script_version("1.4");
  script_cvs_date("Date: 2019/09/18 12:31:49");

  script_cve_id("CVE-2019-7303");
  script_xref(name:"USN", value:"3917-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : snapd vulnerability (USN-3917-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The snapd default seccomp filter for strict mode snaps blocks the use
of the ioctl() system call when used with TIOCSTI as the second
argument to the system call. Jann Horn discovered that this
restriction could be circumvented on 64 bit architectures. A malicious
snap could exploit this to bypass intended access restrictions to
insert characters into the terminal's input queue. On Ubuntu, snapd
typically will have already automatically refreshed itself to snapd
2.37.4 which is unaffected.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3917-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected snapd package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:snapd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/25");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04 / 18.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"snapd", pkgver:"2.37.4~14.04.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"snapd", pkgver:"2.37.4ubuntu0.1")) flag++;
if (ubuntu_check(osver:"18.04", pkgname:"snapd", pkgver:"2.37.4+18.04.1")) flag++;
if (ubuntu_check(osver:"18.10", pkgname:"snapd", pkgver:"2.37.4+18.10.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "snapd");
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/152190/GS20190322023625.txt
idPACKETSTORM:152190
last seen2019-03-22
published2019-03-22
reporterGoogle Security Research
sourcehttps://packetstormsecurity.com/files/152190/snap-seccomp-TIOCSTI-Blacklist-Circumvention.html
titlesnap seccomp TIOCSTI Blacklist Circumvention

References