CVE-2020-11933

2020-07-1500:00:00

ubuntu.com

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

29.4%

JSON

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices
was run without restrictions on every boot, which a physical attacker could
exploit by crafting cloud-init user-data/meta-data via external media to
perform arbitrary changes on the device to bypass intended security
mechanisms such as full disk encryption. This issue did not affect
traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539
and core version 2.45.2, revision 9659.

Bugs

<https://launchpad.net/bugs/1879530>

Notes

Author	Note
jdstrand	cloud-init as managed by snapd is only used on Ubuntu Core 16 and 18 devices. This does not affect traditional Ubuntu cloud, desktop and server systems or the upcoming Ubuntu Core 20. Since the attack requires physical presence, the vulnerability provides no additional access to standard Ubuntu Core devices. For Ubuntu Core devices with full disk encryption, the vulnerability allows admin access to the device after the disk has been decrypted. snapd will be updated to disable/restrict cloud-init after the first boot. Since this does not affect traditional deb-based Ubuntu systems, security updates will not be provided for the snapd deb in the Ubuntu archive and these debs are marked as ‘not-affected’. For notification purposes we will issue a USN for this. Ubuntu Core 16 devices will be updated via the ‘core’ snap which includes snapd Ubuntu Core 18 devices will be updated via the ‘snapd’ snap (which is provided separated from the core18 snap) 20.04 LTS Raspberry Pi images are affected but do not include FDE. A non-security bug task has been added to https://launchpad.net/bugs/1879530.

Author

Note

jdstrand

cloud-init as managed by snapd is only used on Ubuntu Core 16 and 18 devices. This does not affect traditional Ubuntu cloud, desktop and server systems or the upcoming Ubuntu Core 20. Since the attack requires physical presence, the vulnerability provides no additional access to standard Ubuntu Core devices. For Ubuntu Core devices with full disk encryption, the vulnerability allows admin access to the device after the disk has been decrypted. snapd will be updated to disable/restrict cloud-init after the first boot. Since this does not affect traditional deb-based Ubuntu systems, security updates will not be provided for the snapd deb in the Ubuntu archive and these debs are marked as ‘not-affected’. For notification purposes we will issue a USN for this. Ubuntu Core 16 devices will be updated via the ‘core’ snap which includes snapd Ubuntu Core 18 devices will be updated via the ‘snapd’ snap (which is provided separated from the core18 snap) 20.04 LTS Raspberry Pi images are affected but do not include FDE. A non-security bug task has been added to https://launchpad.net/bugs/1879530.