Think you have a false positive on this rule?

Sid 1-49487

Message

FILE-OTHER Snapd dirty_sock exploit download attempt

Summary

This event is generated when an attempt to download an exploit for Snapd API is detected

Impact

High

Detailed information

snapd 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket. A local attacker could use this to access privileged socket APIs and obtain administrator privileges.

Affected systems

  • Snapd versions 2.28 through 2.37

Ease of attack

Medium

False positives

False negatives

Corrective action

Upgrade to the latest available version of Snapd

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • initblog.com/2019/dirty-sock/