Security: snapd snapctl Auth Bypass

Hi Rory, thanks for the excellent report. We'll investigate and get back to you.

I’ve picked this up after discussing with Alex internally

I had a look at the code and apart from the parsing bug, which is not great, we are still somewhat protected by the fact that we only allow to perform the sort of operation (mount is just an example, other operations exposed thruogh snapctl are equally affected), by additional layer of checks that looks for the matching interface connection.

Since I'm at a conference now my focus is limited. I will try to provide a fix tomorrow and ensure I didn't miss anythnig which would raise the severity of the exploit.

I have a fix locally and I'm working through the process of how to handle the pull request.

I've shared the patch with Alex for review. We need to improve our GitHub security process but I don't want to couple this with fixing this today.

Please refer to this issue as CVE-2024-5138.

Thanks for the spread test @zyga - I was initially confused by the

echo 'snapctl ...' | not tests.session

invocation since I read it as 'echo this thing' and on failure run snap run --shell ... - so I wonder if it would be possible to rewrite it with a more explicit invocation of snap run --shell (note the following suggestion is entirely untested):

not tests.session -u test exec snap run --shell test-snapd-sh.sh -e 'snapctl umount /var/snap/test-snapd-sh/common/alsa -- --help'

Thank you for the review Alex! I had a look at doing this without passing stdin but it seems not to be possible as we erase remaining arguments in shell mode: https://github.com/snapcore/snapd/blob/master/cmd/snap-exec/main.go#L227

After some more digging I realized that snap-exec is doing a bit more. Attaching revised patch.

Awesome - thanks @zyga, looks great!

We've created a github advisory https://github.com/snapcore/snapd/security/advisories/GHSA-p9v8-q5m4-pf46 that is liked back to this issue and the CVE.

Dear reporter, to be credited there we need to confirm your GitHub username: can you please clarify if that is "psychomario"?

Alex: there's now a private PR https://github.com/snapcore/snapd-ghsa-p9v8-q5m4-pf46/pull/1 with the two patches.

@zyga My GitHub username is rmcnamara-snyk, thanks! (psychomario is my personal username)

@zygra, please add me to the GitHub issue: eslerm

@zygra, @alexmurray, when you have chosen a date to release the patches please share it here to give Rory a heads up. Often reporters wish to coordinate releasing an analysis blog post or similar. 24 hours is usually enough of a heads up.

@rmcnamara-snyk, how would you like to be attributed in the CVE publication data?

I have no permission to do that. I've asked Ernest to add you.

Once the PR is approved should we wait with the merge to hit the coordinated release date? If so please be mindful of the fact that we cannot release immediately, and usually once a test tarball is up, it takes 2-3 weeks for QA and certification to give us a green light.

@eslerm Could I be attributed as "Rory McNamara from Snyk Security Labs" please?

@rmcnamara-snyk: Can do!

@zygra: Good question. Generally I let projects set and coordinate around their embargo policy. I asked Canonical Security and they said this was okay to post.

Are the patches publicly available during the 2-3 weeks of QA and certification?

Some consider releasing patches as breaking embargo and others consider public announcement as breaking embargo. VINCE allow this type of "silent patching" but, does not advocate for it. It's never ideal, but may be practical. If tooling for QA and certification were private the policy could be tighter.

Snyk may require coordination timing. It takes a lot of labor to audit software and report issues. If Snyk plans to publish an analysis of a report, we can help to maximize the benefit of the post.

My preference is to release security announcements as soon as possible to protect users. Ideally, Snyk could agreee to less than 24 hours notice to publish a blog post (say, 1 hours advanced notice?). Allowing 24 hours seems fair to the reporter and (longterm) user security.

To speed things up, If you are certain that tests will finish by a certain date, you could set a Coordinated Release Date (CRD) if Snyk agrees to changing the CRD if tests/QA fail.

@rmcnamara-snyk: How much advanced notice does Snyk require? Thank you.

@eslerm: For this specific issue we don't plan on publishing a blog post, so no particular notice is requested on our side. Thank you for the consideration however.

We are working on an improved process where we can make an entirely private snapd build so that we can start the QA process without releasing the patches. Otherwise our prior approach was to land the patches that fix a bug but not make it clear that a security issue is being addressed, and only clarify they were associated with a CVE after everything is released.

@Eslerm please coordinate with @Ernest on our team with regards to the private process.

Great, thanks @rmcnamara-snyk and @zyga!

@zygra please give me a heads up before the patch is made public. I would like to publish the CVE at the same time.

I was not the one responsible for merging it but I think it did get merged recently. Please check with Ernest.

@zygra I should have said ready to make this public, not when the patches are made public.

Since the commit states that this is a security issue, by including a GHSA, I'm going to publish the CVE and make this bug public.

https://github.com/snapcore/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14

CVE published: https://www.cve.org/CVERecord?id=CVE-2024-5138

Making bug public.

A huge thank you to Rory McNamara and Snyk Security Labs for reporting this \o/