A few weeks ago in January, security researcher Chris Moberly discovered a privilege escalation bug in the snapd daemon which is installed by default on various versions of Ubuntu Linux. If properly exploited, an attacker could gain root access on the system.
This vulnerability is CVE-2019-7304 and is rated as a high priority vulnerability by Canonical. It directly affects the following four Ubuntu releases and their derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
What is Snapd?
Snappy is a Linux package management tool originally developed by Canonical for the Ubuntu Linux operating system. Snap is different than the more conventional package management tools like YUM or APT which require specifically configured packages for each distro. Snap packages are designed to be agnostic in the sense that they work across various distros using a single, self-contained binary installer or package.
These packages, or snaps as they are commonly called, are managed by the snapd system service which is automatically installed by default on Ubuntu Linux.
While snapd was developed specifically for Ubuntu, it was ported in 2016 to a variety of other Linux distributions. As such, it’s important that you check and validate whether or not your systems are at risk.
What Linux distros are impacted?
In addition to the four Ubuntu variants listed above, the following major distros may be at risk: Fedora, openSUSE, LinuxMint, CentOS, Debian, Arch Linux, Gentoo.
How do I patch my Linux systems with Automox?
You can easily use the Automox platform to find out if you are at risk and to instantly patch the vulnerability on your impacted systems to quickly mitigate the security risk. To do so, follow this brief process:
Log in to the console and click on the ‘Software’ icon found in the left navigation pane. In the search box on the ‘Software’ page, simply type ‘snapd’ and hit enter. You’ll see in the example below that there are 7 endpoints that have potentially been impacted:
By looking closer, you’ll see that the ‘State’ for each of these endpoints is set to ‘Patch on schedule’ which means they will be automatically patched whenever the package is available. To patch the systems immediately, you can use the Actions dropdown to select ‘Patch Now’. With Automox, it’s always this simple to address a critical vulnerability.
Automox can help ensure your systems are adequately patched in a timely manner in order to protect your organization against any vulnerability such as Snapd discussed here in detail. As a best practice, you should always ensure that you have at least one patch policy assigned to all of your devices for Critical, Medium, and Low severity patches. These updates are generally Security and Cumulative software updates. Automox is designed to automate your response to zero-day vulnerabilities like this and others across the Windows, Mac, and Linux operating systems.
Current Automox customers can create policies that automatically handle the patching and execution of important updates for you every single month. Alternatively, you may contact our support team for any technical assistance at firstname.lastname@example.org.
If you are not currently an Automox customer, we invite you to sign up for a free 15-day trial of our cloud-based, automated patch management solution. Visit www.automox.com/signup to get started.