{"id":432,"date":"2024-02-15T00:11:02","date_gmt":"2024-02-15T00:11:02","guid":{"rendered":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/"},"modified":"2025-02-27T15:53:15","modified_gmt":"2025-02-27T15:53:15","slug":"warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps","status":"publish","type":"post","link":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/","title":{"rendered":"Warning from Security Experts: Exploit in Ubuntu Allows Pushing of Malicious Snaps"},"content":{"rendered":"<p><p>Researchers at Aqua Security have identified a security flaw in Ubuntu&#8217;s &#8220;command not found&#8221; feature. This gap could potentially be exploited by attackers to mislead users into installing harmful snaps.<\/p>\n<\/p>\n<p><p>In a detailed blog post, researcher Ilay Goldman warns about the possible dangers of attackers exploiting the &#8220;command-not-found&#8221; utility to suggest their own harmful snap packages.<\/p>\n<\/p>\n<p><p>He expresses serious concern about the scale of the issue. Attackers could potentially replicate thousands of commands from widely-used packages. Goldman mentions <a href=\"https:\/\/www.omgubuntu.co.uk\/2018\/05\/ubuntu-snap-malware\" rel=\"nofollow noopener\" target=\"_blank\">previous cases of harmful packages appearing in the Snap Store<\/a> as an illustration of the issue.<\/p>\n<\/p>\n<p><p>So, what exactly is the problem, how risky is it, and should Ubuntu users be concerned about it?<\/p>\n<\/p>\n<p><h2>Package Suggestions can be Gamed<\/h2>\n<\/p>\n<p><a href=\"https:\/\/149366088.v2.pressablecdn.com\/wp-content\/uploads\/2024\/02\/command-not-found-but-you-can.jpg\" target=\"_blank\" rel=\"nofollow noopener\"> <\/a><\/p>\n<p><p>Can this helpful feature be exploited? Security bods say yes<\/p>\n<\/p>\n<p><p>When you try to run a command for a package you don\u2019t have installed Ubuntu will show a \u201ccommand not found\u201d error.<\/p>\n<\/p>\n<p><p>But, in an effort to help, it also suggests the package(s) needed to run the missing command.<\/p>\n<\/p>\n<p><p>Suggestions are shown for relevant DEB packages available to install from the Ubuntu repos (queried against a local database) and snap packages (queried from a database on the Snap Store that gets updated often so new apps appear as recommendations).<\/p>\n<p>And it\u2019s this helpful feature security researchers say is open for manipulation by bad actors (and I don\u2019t mean the Tommy Wiseau kind) using snap apps. <\/p>\n<p>To prove the viability of this attack vector Aqua Nautilus performed a few experiments.<\/p>\n<p>In one example, they ran jupyter-notebook on a fresh Ubuntu install and, as it\u2019s not preinstalled, the command-not-found feature did its job: said \u2018not found\u2019, recommend the relevant package needed, and how to install it using apt.<\/p>\n<\/p>\n<p><p>So far so good.<\/p>\n<\/p>\n<p><p>But as this particular package didn\u2019t return a <em>snap<\/em> suggestion \u2014 the feature will show both DEB and Snaps if they exist \u2014 they figured that the namespace hadn\u2019t been registered on the Snap Store.<\/p>\n<\/p>\n<p><p>So the researchers registered it, filled in the details, and uploaded a (dummy) app \u2018impersonating\u2019 the real one. Sure enough, the <code>command-not-found<\/code> began started recommend their pretend package \u2014 even <em>before<\/em> the legit one:<\/p>\n<\/p>\n<p><p><a href=\"https:\/\/149366088.v2.pressablecdn.com\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-13-at-22.57.43.png\" rel=\"nofollow noopener\" target=\"_blank\">Screenshot link<\/a><\/p>\n<\/p>\n<p><p>One of these isn\u2019t what it seems, but could you tell?<\/p>\n<\/p>\n<p><p>In the stated example, the fraudulent snap was assigned a higher version number and displayed prior to the authentic APT package, potentially leading users to perceive the initial snap as the recommended choice.<\/p>\n<\/p>\n<p><p>That indeed forms the heart of the problem. <\/p>\n<\/p>\n<p><p>Unscrupulous individuals can conveniently exploit the recommendation system, turning this innocent, user-oriented feature into a vehicle for recommending questionable snap packages to users. The only thing they need to do is to upload a snap feigning to be something that is highly sought-after, and <code>command-not-found<\/code> will take care of the rest.<\/p>\n<\/p>\n<p><p>Even worse, <em>Aqua Nautilus<\/em> report that approximately 26% of commands related to APT packages are susceptible to malicious impersonation. And they have also experimented with other strategies (such as leveraging alias&#8217;, typo squatting, and the like) that dishonest people can use to manipulate the system in order to have their counterfeit packages suggested to users, sometimes even ahead of legitimate ones.<\/p>\n<\/p>\n<p><p>Which is all kinds of worrying.<\/p>\n<\/p>\n<p><h3>Is this <em>actually<\/em> an issue?<\/h3>\n<\/p>\n<p><p>The good news is that, for now, this exploit is theoretical (albeit tested). No-one has yet reported being duped through the CNF mechanism, and there are no signs any snap malware is out there actively exploiting this loophole \u2014 so that\u2019s good.<\/p>\n<\/p>\n<p><p>Plus, it will be easy for Canonical to remedy the issue with mitigations on their end \u2013 perhaps restricting snap suggestions surfaced through this feature to those uploaded by verified developers only?<\/p>\n<\/p>\n<p><p>On a desktop version of Ubuntu, it&#8217;s safe to assume that the CNF feature may not be as commonly utilised as in server and headless setups like WSL, where CLI reigns. While this may serve as a blessing for desktop users who are less likely to be duped, it can pose a threat to crucial infrastructure systems like servers and IoT. <\/p>\n<\/p>\n<p><p>As users, the onus is on us to exercise caution. It&#8217;s imperative to keep an eye out for typos, verify the authenticity of what we are installing, and ensure that it is packaged by a reliable source whenever we install anything, regardless of the source.<\/p>\n<\/p>\n<p><p>Keen on delving deeper? Do visit the <a href=\"https:\/\/www.aquasec.com\/blog\/snap-trap-the-hidden-dangers-within-ubuntus-package-suggestion-system\/\" rel=\"nofollow noopener\" target=\"_blank\">Aqua<\/a> blog post to explore the entire report. <\/p>\n<\/p>\n<p><p>The blog not only elucidates how &#8216;command-not-found&#8217; operates and assigns relevancy to its suggestions, but also reveals how ill-intentioned actors can misuse snap packages to perform unsettling activities even with strict confinement enabled and without triggering a manual review.<\/p>\n<\/p>\n<p><p>Food for thought!<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers at Aqua Security have identified a security flaw in Ubuntu&#8217;s &#8220;command not found&#8221; feature. This gap could potentially be exploited by attackers to mislead users into installing harmful snaps. In a detailed blog post, researcher Ilay Goldman warns about the possible dangers of attackers exploiting the &#8220;command-not-found&#8221; utility to suggest their own harmful snap [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":433,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,249,130],"tags":[],"class_list":["post-432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-security","category-snaps"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost<\/title>\n<meta name=\"description\" content=\"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost\" \/>\n<meta property=\"og:description\" content=\"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/\" \/>\n<meta property=\"og:site_name\" content=\"ServerHost Hosting Solutions Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-15T00:11:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-27T15:53:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"840\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/\",\"url\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/\",\"name\":\"Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost\",\"isPartOf\":{\"@id\":\"https:\/\/serverhost.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp\",\"datePublished\":\"2024-02-15T00:11:02+00:00\",\"dateModified\":\"2025-02-27T15:53:15+00:00\",\"author\":{\"@id\":\"https:\/\/serverhost.com\/blog\/#\/schema\/person\/535ebc9c42672d8f79ad3ee8ea563d66\"},\"description\":\"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage\",\"url\":\"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp\",\"contentUrl\":\"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp\",\"width\":1600,\"height\":840},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/serverhost.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Warning from Security Experts: Exploit in Ubuntu Allows Pushing of Malicious Snaps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/serverhost.com\/blog\/#website\",\"url\":\"https:\/\/serverhost.com\/blog\/\",\"name\":\"ServerHost Hosting Solutions Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/serverhost.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/serverhost.com\/blog\/#\/schema\/person\/535ebc9c42672d8f79ad3ee8ea563d66\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/serverhost.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b8e5973018461f98bcdda40e69a0a7ae6548c079e5e7a1a0c8b40c0738e0fb52?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b8e5973018461f98bcdda40e69a0a7ae6548c079e5e7a1a0c8b40c0738e0fb52?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/serverhost.com\/blog\"],\"url\":\"https:\/\/serverhost.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost","description":"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/","og_locale":"en_US","og_type":"article","og_title":"Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost","og_description":"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.","og_url":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/","og_site_name":"ServerHost Hosting Solutions Blog","article_published_time":"2024-02-15T00:11:02+00:00","article_modified_time":"2025-02-27T15:53:15+00:00","og_image":[{"width":1600,"height":840,"url":"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp","type":"image\/webp"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/","url":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/","name":"Security Alert: Ubuntu Exploit Pushing Malicious Snaps serverhost","isPartOf":{"@id":"https:\/\/serverhost.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage"},"image":{"@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage"},"thumbnailUrl":"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp","datePublished":"2024-02-15T00:11:02+00:00","dateModified":"2025-02-27T15:53:15+00:00","author":{"@id":"https:\/\/serverhost.com\/blog\/#\/schema\/person\/535ebc9c42672d8f79ad3ee8ea563d66"},"description":"Security experts warn of an exploit in Ubuntu allowing the pushing of malicious snaps, urging users to update and secure their systems to avoid potential threats.","breadcrumb":{"@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#primaryimage","url":"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp","contentUrl":"https:\/\/serverhost.com\/blog\/wp-content\/uploads\/2024\/02\/96d2f678dd25620d483091720f380e99-e1740671579579.webp","width":1600,"height":840},{"@type":"BreadcrumbList","@id":"https:\/\/serverhost.com\/blog\/warning-from-security-experts-exploit-in-ubuntu-allows-pushing-of-malicious-snaps\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/serverhost.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Warning from Security Experts: Exploit in Ubuntu Allows Pushing of Malicious Snaps"}]},{"@type":"WebSite","@id":"https:\/\/serverhost.com\/blog\/#website","url":"https:\/\/serverhost.com\/blog\/","name":"ServerHost Hosting Solutions Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/serverhost.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/serverhost.com\/blog\/#\/schema\/person\/535ebc9c42672d8f79ad3ee8ea563d66","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/serverhost.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b8e5973018461f98bcdda40e69a0a7ae6548c079e5e7a1a0c8b40c0738e0fb52?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b8e5973018461f98bcdda40e69a0a7ae6548c079e5e7a1a0c8b40c0738e0fb52?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/serverhost.com\/blog"],"url":"https:\/\/serverhost.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/posts\/432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/comments?post=432"}],"version-history":[{"count":1,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/posts\/432\/revisions"}],"predecessor-version":[{"id":2084,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/posts\/432\/revisions\/2084"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/media\/433"}],"wp:attachment":[{"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/media?parent=432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/categories?post=432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serverhost.com\/blog\/wp-json\/wp\/v2\/tags?post=432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}