Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2415 USN-4424-1: snapd vulnerabilities 16 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: snapd Publisher: Ubuntu Operating System: Ubuntu Linux variants Impact/Access: Reduced Security -- Unknown/Unspecified Unauthorised Access -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2020-11934 CVE-2020-11933 Original Bulletin: https://usn.ubuntu.com/4424-1/ Comment: This advisory references vulnerabilities in products which run on platforms other than Ubuntu. It is recommended that administrators running snapd check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4424-1: snapd vulnerabilities 15 July 2020 snapd vulnerabilities Releases o Ubuntu 20.04 LTS o Ubuntu 19.10 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS Packages o snapd - Daemon and tooling that enable snap packages Details It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. (CVE-2020-11933) It was discovered that snapctl user-open allowed altering the XDG_DATA_DIRS environment variable when calling the system xdg-open. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL. This issue did not affect Ubuntu Core systems. (CVE-2020-11934) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 o snapd - 2.45.1+20.04.2 Ubuntu 19.10 o snapd - 2.45.1+19.10.2 Ubuntu 18.04 o snapd - 2.45.1+18.04.2 Ubuntu 16.04 o snapd - 2.45.1ubuntu0.2 In general, a standard system update will make all the necessary changes. On Ubuntu, snapd will automatically refresh itself to snapd 2.45.2 which is unaffected. References o CVE-2020-11933 o CVE-2020-11934 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXw+yC+NLKJtyKPYoAQiN7hAApjxbucZplRX0/FnF3HOvQ07UED7ZjxHr bkmkftjbmLbfsXa7DcXy5HR5nC1m4mXBHIdqMUTxZ4Bbgp23yZrRvfJI4vAMeZg4 5emYpCprAihkf2Y95MAFSHxktrNvBfCtfncW83N2tZX0N+kIP97uLflWLVvFJI3G oC/9A31MfRI5KajFFQPCRSF38E+mnr/DqPlK9SfUQZeQ2UqydOVD6Vus25rluF8i BYUU8ZYwtjiIHoaO4Nl4HKN9RgY9o6+zUqNP4J/Ca1n47pZ8gr4iGRlLRfRmnLar wwfK2IVq2ffGiPVQJkE7aZVsfwuYcZyfyuQsUYIac3/NV2weYzBxI+x4xGJ3Bjbo h0owou6l8uVANA8CbbeycpzaTTvk35+1hwS5iRJfAMJXfe433dyKGdzcx5GvCIXX oI+ix7f0ttE8bdaZ+CkiicCCG0931gvHgIpZuj+V3HMSBiVQ2PckXlxklilulrdR ym+MCEUluUcdmbk45lMPwkcwjuvEFsdXRmNCVs2XqHdUQxY/0rICeUWPUTvAk9kW zovqBds36De+tfo+RGr41d0Nel8YSXyQiDvbFyOCVm1tYjTE4waPgpKzdYxDTOvF rYGrUsdHNh9TqpnVwCLTK6ec6NobpHduMpDnmDDQ+cmHe2BR+g6m/MsUixamJVUK K4Mq/05idaA= =pZEY -----END PGP SIGNATURE-----