8.2 CVE-2024-1724

Privilege Escalation CSRF Patch Exploit
 

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.
https://nvd.nist.gov/vuln/detail/CVE-2024-1724

Categories

CWE-732 : Incorrect Permission Assignment for Critical Resource
When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:canonical:snapd:*:*:*:*:*:*:*:* < 2.62


REMEDIATION


Patch

Url
https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb...
https://github.com/snapcore/snapd/pull/13689


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://gld.mcphail.uk/posts/explaining-cve-2024-1724/


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
1 Accessing Functionality Not Properly Constrained by ACLs
High
122 Privilege Abuse
Medium
127 Directory Indexing
Medium
17 Using Malicious Files
Very High
180 Exploiting Incorrectly Configured Access Control Security Levels
Medium
206 Signing Malicious Code
Very High
234 Hijacking a privileged process
Medium
60 Reusing Session IDs (aka Session Replay)
High
61 Session Fixation
High
62 Cross Site Request Forgery
Very High
642 Replace Binaries
High


MITRE


Techniques

id description
T1083 File and Directory Discovery
T1134.001 Access Token Manipulation:Token Impersonation/Theft
T1505.005 Server Software Component: Terminal Services DLL
T1548 Abuse Elevation Control Mechanism
T1550.004 Use Alternate Authentication Material:Web Session Cookie
T1553.002 Subvert Trust Controls:Code Signing
T1554 Compromise Client Software Binary
T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
T1574.010 Hijack Execution Flow: ServicesFile Permissions Weakness
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1134.001 An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
T1505.005 Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.
T1548 Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.
T1550.004 Configure browsers or tasks to regularly delete persistent cookies.
T1554 Ensure all application component binaries are signed by the correct application developers.
T1574.005 Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
T1574.010 Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.