The Qualys Threat Research Unit (TRU) has discovered a new vulnerability in snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu. Qualys recommends that security teams apply the patch for this vulnerability as soon as possible.
In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731)
The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973), to obtain full root privileges.
What is snap-confine?
The snap-confine program is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.
Potential Impact
Successful exploitation of the three vulnerabilities lets any unprivileged user gain root privileges on the vulnerable device. Qualys security researchers have verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu.
As soon as the Qualys Threat Research Unit confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with vendors and open-source distributions to announce this newly discovered vulnerability.
Technical Details of snap-confine’s must_mkdir_and_open_with_perms()
The technical details of snap-confine vulnerability can be found at:
https://www.qualys.com/2022/11/30/cve-2022-3328/advisory-snap.txt
Disclosure Timeline
- 2022-08-23: Contacted [email protected]
- 2022-11-28: Contacted [email protected]
- 2022-11-30: Coordinated Release Date (17:00 UTC)
Qualys QID Coverage
Qualys is releasing the QIDs in the table below as they become available, starting with vulnsigs version VULNSIGS-2.5.642-3 and in Linux Cloud Agent manifest version lx_manifest-2.5.642.3-2.
| QID | Title |
|---|---|
| 377800 | Snapd Race condition vulnerability |
Discover Vulnerable Linux Servers Using Qualys VMDR
The following instructs current Qualys customers on how to detect snap-confine in their environment.
Identify Assets Running Linux OS
The first step in managing this critical vulnerability and reducing risk is the identification of all assets running Linux OS. Qualys CyberSecurity Asset Management makes it easy to identify such assets.
Query: operatingSystem.name:”Linux” 
Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say: “Linux Servers.” This helps by automatically grouping existing hosts with the above vulnerabilities as well as any new Linux assets that spin up in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the Qualys Cloud Platform.
Prioritize Based on RTIs
Using Qualys VMDR, the Snap-confine vulnerability can be prioritized using the following real-time threat indicators (RTIs):
- Predicted_High_Risk
- Privilege_Escalation
- Easy_Exploit
- High_Lateral_Movement
Patch With Qualys VMDR
We expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.
Using the same prioritization based on the RTI method as described above, customers can use the “patch now” button found to the right of the vulnerability to add Snap-confine to a patch job. Once patches are released, Qualys will find the relevant patches for this vulnerability and automatically add those patches to a patch job. This will allow customers to deploy those patches to vulnerable devices, all from the Qualys Cloud Platform.
Gain exposure visibility and remediation tracking with Unified Dashboard
With the Qualys Unified Dashboard, you can track the vulnerability exposure within your organization and view your impacted hosts, their status, distribution across environments and overall management in real-time, allowing you to see your MTTR.
Vendor References
https://www.qualys.com/2022/11/30/cve-2022-3328/advisory-snap.txt
Frequently Asked Questions (FAQs)
Will the Qualys Research Team publish exploit code for this vulnerability?
No. Not at this time.
Are there any mitigations for this vulnerability?
No.
Is this vulnerability remotely exploitable?
No. But if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges.