‘Dirty Sock’ PE vulnerability in Linux systems could allow attackers to gain root level access to servers

• Dirty Sock is a privilege escalation vulnerability in Ubuntu which could allow attackers to gain root level access to the system.
• The actual vulnerability does not exist in the Ubuntu OS itself, but in Snapd, which is included in all recent Ubuntu versions and in some Linux systems by default.

A security researcher for Shenanigans Labs, Chris Moberly, recently discovered a vulnerability affecting the Ubuntu operating system. The researcher named the vulnerability as ‘Dirty Sock’ and noted that this bug is a local privilege escalation vulnerability which could allow attackers to gain root level access to the system.

Moberly noted that the actual vulnerability does not exist in the Ubuntu OS itself, but in Snapd, which is included in all recent Ubuntu versions, and in some other Linux distros by default.

Snapd

Snapd is the daemon that manages ‘snaps’, a new app packaging format developed and used in Ubuntu apps since 2014. Snapd allows users to download and install apps in the .snap file format. The security researcher noted that the ‘Dirty Sock’ vulnerability impacts Snapd versions 2.28 and later.

“Current versions of Ubuntu Linux are vulnerable to local privilege escalation due to a bug in the snapd API. This local service installs by default on both 'Server' and 'Desktop' versions of Ubuntu and is likely included in many Ubuntu-like Linux distributions,” Moberly noted in the bug report.

Moberly stated that Snapd exposes a local REST API server that snap packages interact with the official Ubuntu Snap Store while installing new apps (snaps). The researcher revealed that he uncovered a way to bypass the access control restrictions imposed on this REST API server and gain access to all API functions, including the ones restricted for the root user.

Two exploitation methods

Moberly also published a Proof-of-Concept code on GitHub which includes two example exploits that can be used to exploit this API and create new root-level accounts.

The researcher noted that the malicious code to exploit this ‘Dirty Sock’ vulnerability can either be run directly on infected host systems or can be hidden inside malicious snap packages.

Patch released

Moberly reported the ‘Dirty Sock’ exploit to Canonical, the company behind Ubuntu OS and Snapd. The researcher also worked along with the Canonical team to have the security issue fixed.

Canonical released Snapd version 2.37.1 and also released security updates for the Ubuntu Linux OS. Other Linux distros that use Snapd such as Debian, ArchLinux, OpenSUSE, Solus, and Fedora also released security updates to fix the bug.