USN-4424-1: snapd vulnerabilities

15 July 2020

An intended access restriction in snapd could be bypassed by strict mode snaps.

Releases

Packages

  • snapd - Daemon and tooling that enable snap packages

Details

It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and
Ubuntu Core 18 devices ran on every boot without restrictions. A physical
attacker could exploit this to craft cloud-init user-data/meta-data via
external media to perform arbitrary changes on the device to bypass
intended security mechanisms such as full disk encryption. This issue did
not affect traditional Ubuntu systems. (CVE-2020-11933)

It was discovered that snapctl user-open allowed altering the XDG_DATA_DIRS
environment variable when calling the system xdg-open. A malicious snap
could exploit this to bypass intended access restrictions to control how
the host system xdg-open script opens the URL. This issue did not affect
Ubuntu Core systems. (CVE-2020-11934)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
Ubuntu 19.10
Ubuntu 18.04
Ubuntu 16.04

In general, a standard system update will make all the necessary changes.
On Ubuntu, snapd will automatically refresh itself to snapd 2.45.2 which
is unaffected.