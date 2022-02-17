Join today's leading executives online at the Data Summit on March 9th. Register here.

A newly disclosed vulnerability in a Linux program can be exploited for local privilege escalation — and ultimately to acquire root privileges, researchers at cybersecurity vendor Qualys said today.

The vulnerability (CVE-2021-44731)—which affects Canonical’s Snap system for packaging and deploying software—is not remotely exploitable. However, “if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges,” the researchers said in a blog post.

Snap is used for Linux-based operating systems, such as Ubuntu, and its packages are referred to as “snaps.” Via a recent XDA Developers post, “Snap applications are more portable than traditional Linux software, and most of them are containerized to prevent some common security issues.”

The tool for using snaps, meanwhile, is called snapd—and the tool works “across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users,” Qualys researchers said in the post.

Snaps run in a sandbox with “mediated access to the host system,” the researchers said. The vulnerability affects Snap-confine, a program utilized by snapd in order to construct the execution environment used by snap applications, the Qualys post says.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” the researchers said. “Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”

VentureBeat has reached out to Canonical for comment.

The vulnerability was discovered by the Qualys researchers in October. They reported it to Canonical and Red Hat, leading up to a coordinated announcement with vendor and open-source distributions today.

Qualys researchers said in the post they anticipate vendors will provide patches for the CVE-2021-44731 vulnerability “in the short term.”

As of this writing, the Common Vulnerabilities and Exposures (CVE) website did not yet have a listing for CVE-2021-44731.

The disclosure follows last month’s report by Qualys researchers about the vulnerability in a widely installed Linux program, polkit’s pkexec. The researchers dubbed the vulnerability “PwnKit,” and said it can be easily exploited for local privilege escalation and can be exploited to acquire root privileges.

The disclosure of the vulnerability also comes amid growing concerns about the prevalence of insecure software supply chains. High-profile incidents have included the SolarWinds and Kaseya breaches, while overall attacks involving software supply chains surged by more than 300% in 2021, Aqua Security reported.

Meanwhile, open source vulnerabilities such as the widespread flaws in the Apache Log4j logging library and PwnKit have underscored the issue. The Open Source Security Foundation recently announced a new project designed to secure the software supply chain, backed by $5 million from Microsoft and Google.