Amy Burnett (itzn), working responsibility in conjunction with the Ubuntu Security Team, has released her report and Proof of Concept (POC) on CVE-2020-27348. The bug in Ubuntu’s widespread and embedded Snapcraft container package manager allows for arbitrary remote code execution via library inclusion bug which added the local directory to the package’s library path. Ubuntu directs users to utilize the Snapcraft manager as the default installer in versions higher than 20. Examples in the POC include using VLC, the common video viewer in Ubuntu, as well as Chromium and Docker. The patch is in any version of Snapcraft that is 4.4.4 or above – all lower versions are vulnerable. Patching Snapcraft however is not sufficient: all vulnerable applications need to be refreshed in order to eliminate the vulnerability in that specific application.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is