Ubuntu and other Linux distros at risk from Oh Snap! More Lemmings security exploit

Oh snap! More lemmings

Security researchers from Qualys have issued a warning about a Local Privilege Escalation Vulnerability Discovered in the snap-confine function of Canonical’s Snap package manager.

Known as Oh Snap! More Lemmings and tracked as CVE-2021-44731, the collection of security flaws can be exploited to gain root privileges.

See also:

Introducing its findings, the Qualys Research Team says that it “has discovered multiple vulnerabilities in the snap-confine function on Linux operating systems, the most important of which can be exploited to escalate privilege to gain root privileges”. The security firm goes on to say:

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.

In all, there are seven vulnerabilities:

CVE-2021-44731 — Race condition in snap-confine’s setup_private_mount()

CVE-2021-44730 — Hardlink attack in snap-confine’s sc_open_snapd_tool()

CVE-2021-3996 — Unauthorized unmount in util-linux’s libmount

CVE-2021-3995 — Unauthorized unmount in util-linux’s libmount

CVE-2021-3998 — Unexpected return value from glibc’s realpath()

CVE-2021-3999 — Off-by-one buffer overflow/underflow in glibc’ s getcwd()

CVE-2021-3997 — Uncontrolled recursion in systemd’s systemd-tmpfiles.

A video shows a proof-of-concept for the exploit:

Qualys shares details of the Vulnerability Disclosure Timeline:

Full technical details can be found in Qualys’ security advisory here.

Patches have been produced for some distros, and more are on the way, so check the usual sources for updates.

Author: Martha Meyer