CVE-2021-4120
📋 TL;DR
This vulnerability in snapd allows malicious snaps to bypass strict confinement by injecting arbitrary AppArmor policy rules through malformed content interface and layout declarations. It affects systems running snapd 2.54.2 and earlier versions. Attackers could potentially escape snap confinement and gain elevated privileges on affected systems.
💻 Affected Systems
- snapd
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Snapd by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation, allowing attackers to execute arbitrary code with elevated privileges, access sensitive data, and potentially pivot to other systems.
Likely Case
Local privilege escalation allowing malicious snaps to break out of confinement and access system resources they shouldn't have access to, potentially leading to data exfiltration or further system compromise.
If Mitigated
Limited impact with proper snap confinement and security policies in place, but still represents a significant security boundary violation.
🎯 Exploit Status
Exploitation requires creating or modifying a malicious snap package with specific malformed declarations. Proof of concept details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: snapd 2.54.3+18.04, 2.54.3+20.04, or 2.54.3+21.10.1 and later
Vendor Advisory: https://ubuntu.com/security/notices/USN-5292-1
Restart Required: No
Instructions:
1. Update snapd using your distribution's package manager. 2. For Ubuntu: 'sudo apt update && sudo apt install snapd'. 3. For Fedora: 'sudo dnf update snapd'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable snapd temporarily
linuxTemporarily disable snapd service to prevent exploitation while planning updates
sudo systemctl stop snapd
sudo systemctl disable snapd
Remove untrusted snaps
linuxRemove any untrusted or unnecessary snap packages to reduce attack surface
sudo snap list
sudo snap remove [untrusted-snap-name]
🧯 If You Can't Patch
- Implement strict snap review and approval processes for all snap installations
- Monitor system logs for unusual snap activity and implement network segmentation for systems running vulnerable snapd
🔍 How to Verify
Check if Vulnerable:
Check snapd version with 'snap version' or 'snapd --version' and compare against vulnerable versionsCheck Version:
snap version | grep 'snapd'Verify Fix Applied:
Verify snapd version is 2.54.3+18.04, 2.54.3+20.04, or 2.54.3+21.10.1 or later using 'snap version'📡 Detection & Monitoring
Log Indicators:
- Unusual snap installation or modification events
- AppArmor policy violations or modifications related to snap confinement
- System logs showing unexpected privilege escalation
Network Indicators:
- Unexpected outbound connections from snap-confined processes
- Network traffic patterns inconsistent with normal snap behavior
SIEM Query:
source="snapd" AND (event="install" OR event="refresh" OR event="remove") AND package_name="*malicious*" OR source="apparmor" AND event="DENIED" AND process="snap.*"🔗 References
- http://www.openwall.com/lists/oss-security/2022/02/18/2
- https://bugs.launchpad.net/snapd/+bug/1949368
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
- https://ubuntu.com/security/notices/USN-5292-1
- http://www.openwall.com/lists/oss-security/2022/02/18/2
- https://bugs.launchpad.net/snapd/+bug/1949368
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
- https://ubuntu.com/security/notices/USN-5292-1
