CVE-2020-11934

Publication date 15 July 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.6 · High

Score breakdown

It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.

From the Ubuntu Security Team

It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL. This issue did not affect Ubuntu Core systems. (CVE-2020-11934)

Read the notes from the security team

Status

Package Ubuntu Release Status
snapd 20.04 LTS focal
Fixed 2.45.1+20.04.2
19.10 eoan
Fixed 2.45.1+19.10.2
18.04 LTS bionic
Fixed 2.45.1+18.04.2
16.04 LTS xenial
Fixed 2.45.1ubuntu0.2
14.04 LTS trusty Not in release

Notes


emitorino

Since the vulnerability is present on the userd's OpenURL implementation, it only affects classic distros where userd is auto-started. Since userd cannot be auto-started on Ubuntu Core 16, Ubuntu Core 18 or Ubuntu Core 20 (for various reasons depending on the release), then Ubuntu Core is not affected. Even if userd happened to start (eg, the user started it manually on UC20) there is no implicitOnCore policy that allows communicating with io.snapcraft.Launcher (or the older com.canonical.SafeLauncher). The dbus interface can't be used (with either plugs or slots) to communicate with userd. /usr/bin/xdg-open on the boot file system of an Ubuntu Core system is different to Classic: it is the sandbox proxy that calls back into userd. Even if a session bus is running and a confined app could call userd, userd will report an error because the caller is not confined

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
snapd

Severity score breakdown

Parameter Value
Base score 7.6 · High
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references