CVE-2024-29069 - OpenCVE

In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic links and other file types. Various file entries within the snap squashfs image (such as icons and desktop files etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained symbolic links at these paths could then cause snapd to write out the contents of the symbolic link destination into a world-readable directory. This in-turn could allow an unprivileged user to gain access to privileged information.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Canonical	Snapd

Configuration 1 [-]

cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/snapcore/snapd/pull/13682

History

Mon, 26 Aug 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canonical Canonical snapd
Weaknesses		CWE-59
CPEs		cpe:2.3:a:canonical:snapd::::::::
Vendors & Products		Canonical Canonical snapd

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2024-07-25T19:39:41.050Z

Updated: 2024-08-02T01:03:51.700Z

Reserved: 2024-03-14T23:09:12.771Z

Link: CVE-2024-29069

Vulnrichment

Updated: 2024-07-26T13:27:46.436Z

NVD

Status : Analyzed

Published: 2024-07-25T20:15:04.483

Modified: 2024-08-26T16:55:36.350

Link: CVE-2024-29069

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29069", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2024-03-14T23:09:12.771Z", "datePublished": "2024-07-25T19:39:41.050Z", "dateUpdated": "2024-08-02T01:03:51.700Z"}, "containers": {"cna": {"title": "snapd will follow archived symlinks when unpacking a filesystem", "datePublic": "2024-03-14T13:47:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-610", "description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}], "affected": [{"vendor": "Canonical", "product": "snapd", "platforms": ["Linux"], "packageName": "snapd", "repo": "https://github.com/snapcore/snapd/", "modules": ["squashfs"], "programFiles": ["snap/container.go", "snap/snapdir/snapdir.go", "snap/squashfs/squashfs.go"], "versions": [{"status": "affected", "version": "0", "lessThan": "2.62", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."}], "references": [{"url": "https://github.com/snapcore/snapd/pull/13682"}], "credits": [{"lang": "en", "value": "Zeyad Gouda", "type": "finder"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-07-25T19:39:41.050Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T13:27:42.541639Z", "id": "CVE-2024-29069", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T13:27:49.253Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.700Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/snapcore/snapd/pull/13682", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29069", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T13:27:42.541639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T13:27:46.436Z"}}], "cna": {"title": "snapd will follow archived symlinks when unpacking a filesystem", "credits": [{"lang": "en", "type": "finder", "value": "Zeyad Gouda"}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"repo": "https://github.com/snapcore/snapd/", "vendor": "Canonical", "modules": ["squashfs"], "product": "snapd", "versions": [{"status": "affected", "version": "0", "lessThan": "2.62", "versionType": "custom"}], "platforms": ["Linux"], "packageName": "snapd", "programFiles": ["snap/container.go", "snap/snapdir/snapdir.go", "snap/squashfs/squashfs.go"], "defaultStatus": "unaffected"}], "datePublic": "2024-03-14T13:47:00.000Z", "references": [{"url": "https://github.com/snapcore/snapd/pull/13682"}], "descriptions": [{"lang": "en", "value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-610", "description": "CWE-610 Externally Controlled Reference to a Resource in Another Sphere"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-07-25T19:39:41.050Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29069", "state": "PUBLISHED", "dateUpdated": "2024-07-26T13:27:49.253Z", "dateReserved": "2024-03-14T23:09:12.771Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2024-07-25T19:39:41.050Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4A95DA5-EB47-48AA-B9C6-EB6D1489E832", "versionEndExcluding": "2.62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In snapd versions prior to 2.62, snapd failed to properly check the\ndestination of symbolic links when extracting a snap. The snap format \nis a squashfs file-system image and so can contain symbolic links and\nother file types. Various file entries within the snap squashfs image\n(such as icons and desktop files etc) are directly read by snapd when\nit is extracted. An attacker who could convince a user to install a\nmalicious snap which contained symbolic links at these paths could then \ncause snapd to write out the contents of the symbolic link destination\ninto a world-readable directory. This in-turn could allow an unprivileged\nuser to gain access to privileged information."}, {"lang": "es", "value": "En versiones de snapd anteriores a la 2.62, snapd no pod\u00eda verificar correctamente el destino de los enlaces simb\u00f3licos al extraer un snap. El formato snap es una imagen del sistema de archivos squashfs y, por lo tanto, puede contener enlaces simb\u00f3licos y otros tipos de archivos. snapd lee directamente varias entradas de archivos dentro de la imagen de snap squashfs (como \u00edconos y archivos de escritorio, etc.) cuando se extrae. Un atacante que pudiera convencer a un usuario de que instalara un complemento malicioso que contuviera enlaces simb\u00f3licos en estas rutas podr\u00eda hacer que snapd escribiera el contenido del destino del enlace simb\u00f3lico en un directorio legible por todo el mundo. Esto, a su vez, podr\u00eda permitir que un usuario sin privilegios obtenga acceso a informaci\u00f3n privilegiada."}], "id": "CVE-2024-29069", "lastModified": "2024-08-26T16:55:36.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2024-07-25T20:15:04.483", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/snapcore/snapd/pull/13682"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-610"}], "source": "security@ubuntu.com", "type": "Secondary"}]}