CVE-2024-1724

2024-07-2519:15:09

CWE-732

canonical

web.nvd.nist.gov

snapd vulnerability

apparmor enforcement

unauthorized writes

user path

malicious snap

confinement escape

cve-2024-1724

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

20.8%

JSON

In snapd versions prior to 2.62, when using AppArmor for enforcement of
sandbox permissions, snapd failed to restrict writes to the $HOME/bin
path. In Ubuntu, when this path exists, it is automatically added to
the users PATH. An attacker who could convince a user to install a
malicious snap which used the ‘home’ plug could use this vulnerability
to install arbitrary scripts into the users PATH which may then be run
by the user outside of the expected snap sandbox and hence allow them
to escape confinement.

Affected configurations

Nvd

Node

canonicalsnapdRange<2.62

VendorProductVersionCPE
canonicalsnapd*cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
canonical	snapd	*	cpe:2.3:a:canonical:snapd::::::::

CNA Affected

[
  {
    "vendor": "Canonical",
    "product": "snap",
    "platforms": [
      "Linux"
    ],
    "packageName": "snapd",
    "repo": "https://github.com/snapcore/snapd/",
    "modules": [
      "Generated AppArmor policy"
    ],
    "programFiles": [
      "interfaces/builtin/home.go"
    ],
    "programRoutines": [
      {
        "name": "homeConnectedPlugAppArmor"
      }
    ],
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.62",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]