4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-5138

GHSA ID

GHSA-p9v8-q5m4-pf46

EPSS Score

0.33903%

CWE

CWE-285

Published

1/16/2025

Updated

1/16/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5138

CVE-2024-5138: CVE-2024-5138: snapd snapctl auth bypass

Impact

A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run --shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested.

Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory.

Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative privileges. As such we are focusing on the case of default installation where an unprivileged user may exploit this behavior.

Patches

Patch: https://github.com/canonical/snapd/commit/68ee9c6aa916ab87dbfd9a26030690f2cabf1e14 Release: Available from Snapd 2.64

Workarounds

Users may disconnect any instances of the mount-control interface to prevent snapd from creating such mount points. For example, the firefox snap has the host-hunspell plug, which is of type mount-control. The interface can be disconnected with:

sudo snap disconnect firefox:host-hunspell

References

The original bug report was made on Launchpad: https://bugs.launchpad.net/snapd/+bug/2065077 CVE.org: https://www.cve.org/CVERecord?id=CVE-2024-5138 Canonical: https://ubuntu.com/security/CVE-2024-5138

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-5138

CVE-2024-5138:

4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-5138

GHSA ID

GHSA-p9v8-q5m4-pf46

EPSS Score

0.33903%

CWE

CWE-285

Published

1/16/2025

Updated

1/16/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/snapcore/snapd	go	>= 2.51.6, < 2.63.1	2.63.1
github.com/snapcore/snapd	go	< 0.0.0-20240524114846-68ee9c6aa916	0.0.0-20240524114846-68ee9c6aa916

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper argument parsing in the authorization check function. The commit diff shows the vulnerable isAllowedToRun function was modified to add proper '--' handling. The original code allowed any occurrence of help flags (even after command arguments) to bypass root checks, which attackers exploited by inserting '-- --help' to trigger the bypass. The patch specifically addresses this by terminating argument parsing at '--', confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-5138: CVE-2024-5138: snapd snapctl auth bypass

Impact

Patches

Workarounds

References

CVE-2024-5138:

4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

4

4

CVE-2024-5138: CVE-2024-5138: snapd snapctl auth bypass

Impact

Patches

Workarounds

References

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI