Amy Burnett (itzn), working responsibility in conjunction with the Ubuntu Security Team, has released her report and Proof of Concept (POC) on CVE-2020-27348. The bug in Ubuntu’s widespread and embedded Snapcraft container package manager allows for arbitrary remote code execution via library inclusion bug which added the local directory to the package’s library path. Ubuntu directs users to utilize the Snapcraft manager as the default installer in versions higher than 20. Examples in the POC include using VLC, the common video viewer in Ubuntu, as well as Chromium and Docker. The patch is in any version of Snapcraft that is 4.4.4 or above – all lower versions are vulnerable. Patching Snapcraft however is not sufficient: all vulnerable applications need to be refreshed in order to eliminate the vulnerability in that specific application.
Due to responsible disclosure practices, many Ubuntu users will have already had the opportunity to update Snapcraft to a patched version as the patch was released in December 2020. Anyone who has not done so should do so, now that the vulnerability and proof of concept exploit code have been reported, and also should refresh all applicable Snapcraft applications. This can be done by visiting https://snapcraft.io/build and clicking “Trigger New Build” or by clicking “Request Builds” on the local launchpad. No information was made available on whether this vulnerability was employed in the wild but it is a demonstration that perimeter security will have inevitable failures due to bugs in software development and that a targeted, well-informed threat hunting program is an essential aspect of a defense in depth strategy to mitigate risks.