Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Root Privilege. Show all posts

Several Vulnerabilities were Discovered in the Snap-Confine Function on Linux Systems

 

Security researchers from Qualys uncovered various flaws in Canonical's Snap software packaging and deployment system. Bharat Jogi, head of vulnerability and threat research at Qualys, revealed in a blog post that they discovered many vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be abused to escalate privilege to gain root rights." 

Canonical created Snap, a software packaging and distribution mechanism for operating systems that use the Linux kernel. The packages, known as snaps, and the tool used to use them, snapd, are compatible with a variety of Linux distributions and enable upstream software developers to deliver their applications directly to users. Snaps are standalone applications that run in a sandbox and have mediated access to the host system. Snap-confine is a software that snapd uses internally to build the execution environment for snap applications. 

If this vulnerability is successfully exploited, any unprivileged user can get root privileges on the vulnerable system. Qualys security researchers were able to independently validate the vulnerability, create an exploit, and get full root access on default Ubuntu installations. Canonical cooperated in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce this newly identified vulnerability as soon as the Qualys Research Team confirmed it. 

Canonical, the publisher of Ubuntu, said in a statement that they tried to ensure that the subsystems on which the snap platform is based are utilised safely throughout the development process. They pointed out that, because of automatic refreshes, the majority of snap-distributed platform installations around the world have already been updated.

In addition, Qualys detected six more vulnerabilities. They detailed each vulnerability and asked all users to patch as soon as feasible. “Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue,” a Canonical spokesperson said. 

“In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs,” the spokesperson added.

Microsoft: Shrootless Bug Allows Hackers Install macOS Rootkits

 

A new macOS vulnerability found by Microsoft could be used by attackers to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers. 

The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR). SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous programs from editing protected folders and files by restricting the root user account's ability to conduct operations on protected sections of the OS. 

SIP permits only processes signed by Apple or those with specific entitlements (i.e., Apple software updates and Apple installers) to change these protected sections of macOS. Microsoft researchers found the Shrootless security flaw after finding that the system_installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP filesystem limitations. 

Jonathan Bar Or, a principal security researcher at Microsoft stated, "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." 

With the security upgrades released on October 26, Apple addressed the security vulnerability. According to Apple's security alert, "a malicious programme may be able to manipulate protected areas of the file system." 

"We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue," Jonathan Bar Or added.

Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques. 

The trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notorious for being able to infect Macs despite Apple's YARA signature-based XProtect built-in antivirus.