CVE-2024-1724 – This vulnerability in snapd versions before 2.6... (How to Fix)

📋 TL;DR

This vulnerability in snapd versions before 2.62 allows malicious snaps with 'home' plug permissions to write arbitrary scripts to the user's $HOME/bin directory. Since Ubuntu automatically adds this directory to the user's PATH, these scripts can be executed outside the snap sandbox, enabling privilege escalation. Users running affected snapd versions on Ubuntu systems with $HOME/bin directories are vulnerable.

💻 Affected Systems

Products:

snapd

Versions: All versions prior to 2.62

Operating Systems: Ubuntu (primary), other Linux distributions using snapd

Default Config Vulnerable: ⚠️ Yes

Notes: Requires $HOME/bin directory to exist (common in Ubuntu) and user to install a snap with 'home' plug permission.

📦 What is this software?

Snapd by Canonical

View all CVEs affecting Snapd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains persistent access to the user's system by planting malicious executables in $HOME/bin that run with the user's privileges whenever they execute commands from their PATH.

🟠

Likely Case

Malicious snap installs scripts that steal credentials, install backdoors, or perform other malicious actions when the user runs common commands.

🟢

If Mitigated

With proper snap confinement and user awareness, the risk is limited to users who install untrusted snaps with home plug access.

🌐 Internet-Facing: MEDIUM - Requires user interaction to install malicious snap, but snaps can be distributed through official channels.

🏢 Internal Only: MEDIUM - Internal users could be tricked into installing malicious snaps, but requires specific conditions ($HOME/bin exists).

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires convincing a user to install a malicious snap. Proof of concept details are publicly available in the referenced links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: snapd 2.62 and later

Vendor Advisory: https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6

Restart Required: No

Instructions:

1. Update snapd: sudo snap refresh snapd
2. Verify version: snap version
3. Ensure version is 2.62 or higher

🔧 Temporary Workarounds

Remove $HOME/bin directory

linux

Prevents automatic PATH inclusion in Ubuntu, eliminating the attack vector

rm -rf ~/bin

Restrict snap installation

linux

Limit snap installation to trusted sources only

🧯 If You Can't Patch

Audit all installed snaps and remove any from untrusted sources
Monitor $HOME/bin directory for unexpected file creations

🔍 How to Verify

Check if Vulnerable:

Check if snapd version is below 2.62 and $HOME/bin directory exists

Check Version:

snap version | grep 'snapd'

Verify Fix Applied:

Confirm snapd version is 2.62 or higher and test that snaps cannot write to $HOME/bin

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to $HOME/bin directory from snap processes
Installation of new snaps with home plug

Network Indicators:

Downloads of snap packages from untrusted sources

SIEM Query:

process.name:snapd AND file.path:/home/*/bin/*

📊 Metadata

CVE ID: CVE-2024-1724

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-732

Published: July 25, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 Patch
https://github.com/snapcore/snapd/pull/13689 Issue Tracking,Patch
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ Exploit,Technical Description,Third Party Advisory
https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 Patch
https://github.com/snapcore/snapd/pull/13689 Issue Tracking,Patch
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1724, you might also want to check these: