snap policy module can be unloaded, circumventing audio recording restrictions for snaps
Bug #1877102 reported by
James Henstridge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pulseaudio (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Xenial |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Bionic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Eoan |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Focal |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Groovy |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
This collates information about a security vulnerability discussed in email. It has been assigned CVE-2020-11931.
Ubuntu's PulseAudio package is shipped with a custom "module-
This allows a snap that has only plugged "audio-playback" to request that PulseAudio unload the security policy module, which in turn makes it possible to record audio.
CVE References
Changed in pulseaudio (Ubuntu Groovy): | |
importance: | High → Medium |
Changed in pulseaudio (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in pulseaudio (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in pulseaudio (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in pulseaudio (Ubuntu Xenial): | |
importance: | Undecided → Medium |
information type: | Private Security → Public Security |
To post a comment you must log in.
Attached is a snapcraft.yaml file that can be used to build an exploit snap. With it built and installed, we can see that recording is initially blocked:
$ record- exploit. parecord /tmp/foo.wav
Stream error: Access denied
But if we disable the security policy first, we can record:
$ record- exploit. disable- security exploit. parecord /tmp/foo.wav
$ record-
^C
The snap also exposes a "record- exploit. pactl" command to help demonstrate what is possible from within confinement.