"Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges"
Qualys' Threat Research Unit recently showed how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system. The researchers stated that the new vulnerability, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system. Specifically, the flaw impacts the "snap-confine" program used by Snapd to construct the execution environment for Snap applications. The researchers noted that the affected program is present by default in Ubuntu, whose developers described CVE-2022-3328 as a high-severity flaw that can be exploited for local privilege escalation and arbitrary code execution. Qualys researchers have shown how CVE-2022-3328 could be combined with other innocuous vulnerabilities for a high-impact attack. The researchers chained CVE-2022-3328 (this issue was introduced in February 2022 by the patch for a flaw tracked as CVE-2021-44731) with two recently discovered issues affecting Multipathd. The researchers noted that Multipathd is a daemon in charge of checking for failed paths that is running as root in the default installation of Ubuntu and other distributions. The researchers stated that Multipathd is affected by an authorization bypass issue that can be exploited by an unprivileged user to issue privileged commands to Multipathd (CVE-2022-41974) and a symlink attack (CVE-2022-41973) that can be used to force the execution of malicious code. The researchers noted that chaining the Snapd vulnerability with the two Multipathd flaws can allow any unprivileged user to gain root privileges on a vulnerable device. The researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu. The vulnerability is not exploitable remotely, but the researchers warn that it's dangerous because it can be exploited by an unprivileged user.
SecurityWeek reports: "Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges"