CVE-2024-1724

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.
Configurations

Configuration 1 (hide)

cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.2
v2 : unknown
v3 : 6.3
References () https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 - Patch () https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 - Patch
References () https://github.com/snapcore/snapd/pull/13689 - Issue Tracking, Patch () https://github.com/snapcore/snapd/pull/13689 - Issue Tracking, Patch
References () https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ - Exploit, Technical Description, Third Party Advisory () https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ - Exploit, Technical Description, Third Party Advisory

26 Aug 2024, 16:44

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.3
v2 : unknown
v3 : 8.2
References () https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 - () https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 - Patch
References () https://github.com/snapcore/snapd/pull/13689 - () https://github.com/snapcore/snapd/pull/13689 - Issue Tracking, Patch
References () https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ - () https://gld.mcphail.uk/posts/explaining-cve-2024-1724/ - Exploit, Technical Description, Third Party Advisory
CPE cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*
First Time Canonical
Canonical snapd

26 Jul 2024, 12:38

Type Values Removed Values Added
Summary
  • (es) En versiones de snapd anteriores a la 2.62, cuando se usaba AppArmor para hacer cumplir los permisos de la zona de pruebas, snapd no podía restringir las escrituras en la ruta $HOME/bin. En Ubuntu, cuando esta ruta existe, se agrega automáticamente al PATH del usuario. Un atacante que pudiera convencer a un usuario para que instalara un complemento malicioso que usara el complemento "home" podría usar esta vulnerabilidad para instalar scripts arbitrarios en el PATH del usuario que luego el usuario podría ejecutar fuera del entorno de pruebas esperado y, por lo tanto, permitirle escapar del encierro.

25 Jul 2024, 20:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.3

25 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-25 19:15

Updated : 2024-11-21 08:51


NVD link : CVE-2024-1724

Mitre link : CVE-2024-1724

CVE.ORG link : CVE-2024-1724


JSON object : View

Products Affected

canonical

  • snapd
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource