CVE-2024-1724

2024-07-2519:15:09

Debian Security Bug Tracker

security-tracker.debian.org

snapd

apparmor

sandbox permissions

vulnerability

ubuntu

path

escape confinement

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

20.8%

JSON

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the ‘home’ plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.

OSVersionArchitecturePackageVersionFilename
Debian12allsnapd<= 2.57.6-1snapd_2.57.6-1_all.deb
Debian11allsnapd<= 2.49-1+deb11u2snapd_2.49-1+deb11u2_all.deb
Debian999allsnapd< 2.62-1snapd_2.62-1_all.deb
Debian13allsnapd< 2.62-1snapd_2.62-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	snapd	<= 2.57.6-1	snapd_2.57.6-1_all.deb
Debian	11	all	snapd	<= 2.49-1+deb11u2	snapd_2.49-1+deb11u2_all.deb
Debian	999	all	snapd	< 2.62-1	snapd_2.62-1_all.deb
Debian	13	all	snapd	< 2.62-1	snapd_2.62-1_all.deb