Dirty Sock vulnerability gives hackers root access to Linux systems
Ubuntu and some other Linux distributions have a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to get root access. The vulnerability is in the Snapd daemon that's included by default with all recent Ubuntu versions, but also with some other Linux distros. Snapd is used by Linux users to download and install apps in the .snap file format.
Chris Moberly at Missing Link Security found the issue and stated that it is in the snapd API. Moberly called the vulnerability Dirty_Sock since it revolves around handling sockets. According to Moberly, his proof-of-concept exploits work 100% of the time on fresh, default installations of Ubuntu Server and Desktop. The vulnerability doesn't allow hackers to break into vulnerable machines remotely. Moberly's report can be found here.
Snapd exposes a local REST API server that snap packages and the official Ubuntu Snap Store interacts with during the installation of new apps. Moberly found a way to skirt the access control restrictions imposed on this API server and gain access to all API functions, including the ones restricted for the root user. Moberly posted his Proof of Concept int GitHub. The flaw comes from the way the access control mechanism checks the UID associated with any request made to a server and allows hackers to overwrite the UID variable and access any API function, including those that are restricted for the root user. Snapd versions 2.28 through 2.37 are all vulnerable to the Dirty Sock exploit.
Linux users are highly recommended to upgrade their vulnerable installations as soon as possible. Canonical, the company behind the Ubuntu operating system, has released a patch (USN-3887-1) for this issue. As for other Linux distros that use snapd, such as Linux Mint, Debian and Fedora, administrators should check to see if the flaw is present and apply patches accordingly.