CVE-2020-27352 in snapd
Summary
by MITRE • 06/21/2024
When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/27/2025
The vulnerability described in CVE-2020-27352 resides within the snapd daemon's handling of systemd service unit generation for docker snaps and similar containerized applications. This issue represents a critical privilege escalation concern that stems from improper cgroup delegation configuration within the systemd service management framework. When snapd creates service units for these snaps, it fails to explicitly set the Delegate=yes parameter that systemd requires to properly isolate container processes from the host system's main daemon cgroup. This omission creates an unintended operational context where containerized processes can migrate into the parent snap's cgroup during systemd unit reloading operations.
The technical flaw manifests through systemd's default behavior of process cgroup management when the Delegate=yes directive is not explicitly configured. In normal operation, systemd should maintain clear boundaries between container processes and the host daemon's resource management domains. However, without the Delegate=yes setting, systemd's default cgroup inheritance mechanisms cause container processes to be reassigned to the snap's main daemon cgroup, effectively breaking the intended isolation boundaries. This behavior creates a privilege escalation vector where containers may inherit additional capabilities or resource access that were not originally intended for their operational context.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass broader system security implications. Containerized applications within affected snaps may gain access to resources, capabilities, or system interactions that should remain restricted to the host system or other containerized applications. This misconfiguration can enable malicious actors to escalate privileges within the container environment, potentially allowing them to access host system resources or escalate their control beyond the intended operational boundaries. The vulnerability becomes particularly concerning when considering that snapd manages multiple applications and services, each potentially affected by this cgroup delegation flaw.
From a security standards perspective, this vulnerability aligns with CWE-276, which addresses improper privileges, and CWE-256, concerning improper privilege management. The issue also maps to ATT&CK technique T1068, which involves privilege escalation through the exploitation of system configuration weaknesses. The improper cgroup delegation represents a fundamental misconfiguration in the system's privilege management framework, allowing for unintended process migration and resource access. Organizations should implement immediate mitigations including updating snapd to versions that properly implement the Delegate=yes directive for affected service units, and conducting thorough audits of all snap-managed containerized applications to ensure proper cgroup delegation settings are in place.
The remediation strategy should focus on ensuring that all systemd service units generated by snapd for containerized applications explicitly include Delegate=yes directives. This configuration ensures proper cgroup delegation and maintains the isolation boundaries between container processes and the host system's main daemon cgroup. System administrators should also implement monitoring solutions to detect any unauthorized process migrations between cgroups, as well as regular security assessments of snap-managed services to identify and correct similar configuration issues. The vulnerability highlights the critical importance of proper systemd service unit configuration in containerized environments and demonstrates how seemingly minor configuration omissions can create significant security implications.