CVE-2019-7303 : Security Advisory and Response
Learn about CVE-2019-7303, a vulnerability in Canonical snapd allowing character injection into a terminal on a 64-bit host. Find mitigation steps and update information here.
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This weakness impacts versions of Canonical snapd earlier than 2.37.4.
Understanding CVE-2019-7303
This CVE involves a vulnerability in Canonical snapd that allows unauthorized character injection into a terminal on a 64-bit host.
What is CVE-2019-7303?
Before version 2.37.4, a weakness in the seccomp filters of Canonical snapd allows a strict mode snap to inject characters into a terminal on a 64-bit host. The issue affects versions of Canonical snapd prior to 2.37.4.
The Impact of CVE-2019-7303
The vulnerability has a CVSS base score of 5.7, categorizing it as a medium severity issue. The impact includes low confidentiality, integrity, and availability impacts. The attack complexity is low, requiring local access and user interaction.
Technical Details of CVE-2019-7303
This section provides detailed technical information about the vulnerability.
Vulnerability Description
The vulnerability in Canonical snapd allows a strict mode snap to bypass seccomp filters and inject characters into a terminal on a 64-bit host.
Affected Systems and Versions
- Product: snapd
- Vendor: Canonical
- Versions Affected: < 2.37.4
Exploitation Mechanism
The issue arises from the mismatch between the seccomp rules designed for 64-bit ioctl(2) commands and the Linux kernel's utilization of only the lower 32 bits for executing ioctl(2) commands.
Mitigation and Prevention
Protecting systems from CVE-2019-7303 requires immediate actions and long-term security practices.
Immediate Steps to Take
- Update snapd to version 2.37.4 or newer to mitigate the vulnerability.
- Monitor for any unauthorized character injections into terminals.
Long-Term Security Practices
- Regularly update software and apply security patches promptly.
- Implement strict access controls and monitoring mechanisms to detect and prevent unauthorized activities.
Patching and Updates
- Canonical has released version 2.37.4 to address this vulnerability. Ensure all affected systems are updated to this version or later to prevent exploitation.