Linux Systems under severe vulnerability attack

Major Linux distribution vendors, including Ubuntu is under a severe privilege escalation vulnerability, which could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. It would also allow an attacker to obtain full administrator privileges over the targeted system, and from there potentially pivot to other areas of the network.The vulnerability Dubbed "Dirty_Sock" and identified as CVE-2019-7304 was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu  late last month.

This dubbed vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification. Built by Canonical, Snap comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora.

Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software on various Linux systems for desktop, cloud, and Internet of Things.

Snap locally hosts a web server (UNIX_AF socket) to offer a list of RESTful APIs that help the service perform various actions on the operating system. These REST APIs come with access control to define user-level permission for specific tasks. Some powerful APIs are only available to root users while others can be accessed by low-privileged users.

According to Moberly, a flaw in the way the access control mechanism checks the UID associated with any request made to a server allows attackers to overwrite the UID variable and access any API function, including those that are restricted for the root user.

"Snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket," Ubuntu explains in its advisory. "A local attacker could use this to access privileged socket APIs and obtain administrator privileges."

However, it should be noted that since the Dirty Sock exploit leverages local privilege escalation flaw, it does not allow hackers to compromise a vulnerable Linux system remotely.

Moberly has also released two proofs-of-concept (PoC) exploits on GitHub today, one of which requires an SSH connection while the other is able to sideload a malicious snap by abusing this API.

Canonical has released snapd version - Snapd 2.37.1 this week to address the vulnerability, and Ubuntu and other major Linux distributions have already rolled out a fixed version of their packages.

Linux users are highly recommended to upgrade their vulnerable installations as soon as possible.