CVE-2020-11934

2020-07-1500:00:00

ubuntu.com

5.9 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

11.7%

JSON

It was discovered that snapctl user-open allowed altering the
$XDG_DATA_DIRS environment variable when calling the system xdg-open.
OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to
append a path to a directory controlled by the calling snap. A malicious
snap could exploit this to bypass intended access restrictions to control
how the host system xdg-open script opens the URL and, for example, execute
a script shipped with the snap without confinement. This issue did not
affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2,
2.45.1+18.04.2 and 2.45.1+20.04.2.

Bugs

<https://bugs.launchpad.net/snapd/+bug/1880085>

Notes

Author	Note
emitorino	Since the vulnerability is present on the userd’s OpenURL implementation, it only affects classic distros where userd is auto-started. Since userd cannot be auto-started on Ubuntu Core 16, Ubuntu Core 18 or Ubuntu Core 20 (for various reasons depending on the release), then Ubuntu Core is not affected. Even if userd happened to start (eg, the user started it manually on UC20) there is no implicitOnCore policy that allows communicating with io.snapcraft.Launcher (or the older com.canonical.SafeLauncher). The dbus interface can’t be used (with either plugs or slots) to communicate with userd. /usr/bin/xdg-open on the boot file system of an Ubuntu Core system is different to Classic: it is the sandbox proxy that calls back into userd. Even if a session bus is running and a confined app could call userd, userd will report an error because the caller is not confined

Author

Note

emitorino

Since the vulnerability is present on the userd’s OpenURL implementation, it only affects classic distros where userd is auto-started. Since userd cannot be auto-started on Ubuntu Core 16, Ubuntu Core 18 or Ubuntu Core 20 (for various reasons depending on the release), then Ubuntu Core is not affected. Even if userd happened to start (eg, the user started it manually on UC20) there is no implicitOnCore policy that allows communicating with io.snapcraft.Launcher (or the older com.canonical.SafeLauncher). The dbus interface can’t be used (with either plugs or slots) to communicate with userd. /usr/bin/xdg-open on the boot file system of an Ubuntu Core system is different to Classic: it is the sandbox proxy that calls back into userd. Even if a session bus is running and a confined app could call userd, userd will report an error because the caller is not confined

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchsnapd< 2.45.1+18.04.2UNKNOWN
ubuntu19.10noarchsnapd< 2.45.1+19.10.2UNKNOWN
ubuntu20.04noarchsnapd< 2.45.1+20.04.2UNKNOWN
ubuntu16.04noarchsnapd< 2.45.1ubuntu0.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	snapd	< 2.45.1+18.04.2	UNKNOWN
ubuntu	19.10	noarch	snapd	< 2.45.1+19.10.2	UNKNOWN
ubuntu	20.04	noarch	snapd	< 2.45.1+20.04.2	UNKNOWN
ubuntu	16.04	noarch	snapd	< 2.45.1ubuntu0.2	UNKNOWN