Multiple vulnerabilities put 40 million Ubuntu users at risk

News
By published

Researchers uncover privilege escalation flaw in Ubuntu snap-confine function

Ubuntu
(Image credit: Canonical)

Security researchers have recently found “multiple vulnerabilities” on Ubuntu systems, some of which would allow a threat actor to gain root privileges on the target endpoint.

In a blog post, Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, said the team found the flaws in the snap-confine function on Linux operating systems. Approximately 40 million users are at risk.

Jogi describes Snap as a “software packaging and deployment system” that was built by Canonical for operating systems on the Linux kernel. These packages, or “snaps”, as well as the tool that uses them, “snapd”, work on a wide range of Linux distributions, allowing developers to ship applications directly to users. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Gaining root access

Snaps, Jogi further explains, are “self-contained applications running in a sandbox with mediated access to the host system. Snap-confine in s a program used internally by snapd to construct the execution environment for snap applications.”

By abusing the flaw, tracked as CVE-2021-44731, the attacker can elevate the privileges of a basic account all the way to root access. Researchers from Qualys claim to have independently verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu. 

The team did not explain if the exploit comes in the form of malware, or if it took a different approach.

Read more

> Ubuntu 21.04 is here, but don't get too excited

> Ubuntu has a pretty serious security flaw, so patch now

> Ubuntu 21.10 wants to make cloud-native app development easier for all

As usual, by the time the news hits the press, a patch had already been issued, so Ubuntu users are advised to patch up to the latest version, immediately. Qualys’ customers can search the vulnerability knowledgebase for CVE-2021-44731 to identify all the QIDs and vulnerable assets, the company said.

“In a Log4Shell, SolarWinds, MSFT Exchange (and on and on) era, it is vital that vulnerabilities are responsibly reported and are patched and mitigated immediately,” the research team warns. “ This disclosure continues to showcase that security is not a one and done – this code had been reviewed several times and Snap has very defensive technologies.”

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person&#039;s fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Latest in Security
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Latest in News
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Seth Milchick and Kier Eagan&#039;s animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Apple&#039;s Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
Spotify&#039;s new Concerts Near You playlist feature showing a list of songs by local touring artists
Spotify has launched a new Concerts Near You playlist, making it easier for you to see if your favorite artists are performing in your area
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
More about security
Representational image depecting cybersecurity protection

Cisco smart licensing system sees critical security flaws exploited
An image of network security icons for a network encircling a digital blue earth.

US government warns agencies to make sure their backups are safe from NAKIVO security issue
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging

AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
See more latest
Most Popular
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 22 (game #384)
A collage of Mikey Madison&#039;s Anora, Sadie Sink&#039;s O&#039;Dessa, and Glinda and Elphaba in Wicked
7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (March 21)
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 22 (game #1153)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 22 (game #650)
Apple&#039;s Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A person working on a laptop outside.
HP's new built-in eSIM lets you stay connected to the internet, even without Wi-Fi