Cybersecurity researchers have uncovered multiple security vulnerabilities within the AppArmor module of the Linux kernel. These vulnerabilities can be exploited by unprivileged users to bypass kernel protections and escalate to root, compromising container isolation guarantees.
The Qualys Threat Research Unit (TRU) has collectively codenamed these nine confusing sub-vulnerabilities CrackArmor. The cybersecurity company said the issue has existed since 2017. This flaw has not been assigned a CVE identifier.
AppArmor is a Linux security module that protects the operating system from external or internal threats by providing Mandatory Access Control (MAC) and preventing known and unknown application flaws from being exploited. It’s included in the mainline Linux kernel since version 2.6.36.
“This ‘CrackArmor’ advisory exposes a confusing proxy flaw that allows unprivileged users to manipulate security profiles via pseudo files, bypass user namespace restrictions, and execute arbitrary code within the kernel,” said Saeed Abbasi, senior manager at Qualys TRU.
“These flaws facilitate escalation of local privileges to root through complex interactions with tools such as Sudo and Postfix, as well as denial of service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypass through out-of-bounds reads.”
Confused proxy vulnerabilities occur when a privileged program is coerced by an unprivileged user and abuses its privileges to perform unintended malicious actions. This issue essentially exploits the trust associated with a more privileged tool to execute commands that lead to privilege escalation.
Qualys says that entities without permission to take actions can manipulate AppArmor profiles to disable critical service protections or enforce a deny-all policy, potentially causing a denial of service (DoS) attack in the process.
“Combined with kernel-level flaws inherent in profile parsing, an attacker can bypass user namespace restrictions and achieve local privilege escalation (LPE) to full root.”
“Policy manipulation compromises the entire host, while namespace bypass facilitates advanced kernel exploits such as arbitrary memory disclosure. DoS and LPE capabilities can cause service outages, credential tampering via passwordless root (e.g. /etc/passwd changes), or KASLR disclosure, enabling further remote exploitation chains.”
Worse, CrackArmor allows unprivileged users to create fully functional user namespaces, effectively circumventing Ubuntu’s user namespace restrictions implemented by AppArmor, as well as breaking important security guarantees such as container isolation, least privilege enforcement, and service hardening.
The cybersecurity company said it will hold back on releasing proof-of-concept (PoC) exploits for identified flaws to give users time to prioritize patches and minimize risks.
This issue affects all Linux kernels starting with version 4.11 on distributions that integrate AppArmor. With over 12.6 million enterprise Linux instances running with AppArmor enabled by default on several major distributions such as Ubuntu, Debian, and SUSE, we recommend immediately applying kernel patches to mitigate these vulnerabilities.
“Immediate patching of the kernel remains a non-negotiable priority to neutralize these critical vulnerabilities, as interim mitigations do not provide the same level of security assurance as restoring vendor-fixed code paths,” Abbasi said.
Source link
