Nine CrackArmor Errors in Linux AppArmor Enable Root Ascension, Bypass Container Partitioning
Cybersecurity researchers have uncovered multiple security vulnerabilities within the AppArmor module of the Linux kernel that can be used by unprivileged users to bypass kernel protection, ascend to root, and undermine container isolation guarantees.
Nine confused deputies were named jointly CrackArmor by the Qualys Threat Research Unit (TRU). The cybersecurity company said the issue has been around since 2017. No CVE identifiers have been assigned to the vulnerability.
AppArmor is a Linux security module that provides mandatory access control (MAC) and protects the operating system against external or internal threats by preventing known and unknown application bugs from being exploited. It has been included in the main Linux kernel since version 2.6.36.
“This ‘CrackArmor’ advisory exposes an obfuscated pin flaw that allows unprivileged users to implement security profiles with fake files, bypass username space restrictions, and execute arbitrary code within the kernel,” said Saeed Abbasi, senior manager of Qualys TRU.
“These flaws help local privilege escalation to grow through complex interactions with tools like Sudo and Postfix, as well as denial-of-service attacks through stack exhaustion and random bypass of the Kernel Space Layout Address (KASLR) through out-of-bounds reading.”
A confused proxy vulnerability occurs when a privileged system is forced by an unauthorized user to abuse its privileges to perform unintended, malicious actions. The problem is actually using the trust associated with a more privileged tool to execute a command that leads to privilege escalation.
Qualys said that an entity without operational permissions can manipulate AppArmor profiles to disable critical service protections or enforce denial-of-service policies, causing a denial-of-service (DoS) attack in the process.
“Combined with kernel-level flaws found in profiling, attackers bypass local user name restrictions and gain Local Privilege Escalation (LPE) to full root,” it added.
“Policy manipulation harms the entire host, while namespace traversal facilitates advanced kernel exploits such as random memory exposure. DoS and LPE capabilities result in service interruption, credential compromise via passwordless root (eg, /etc/passwd modification), or KASLR exposure, allowing remote attacks to proceed.”
To make matters worse, CrackArmor allows unprivileged users to create namespaces for fully qualified users, bypass Ubuntu’s user namespace restrictions implemented with AppArmor, and subvert important security guarantees such as container isolation, least privilege usage, and service integrity.
The cybersecurity company said it is holding back on releasing a proof-of-concept (PoC) of the identified flaws to give users time to prioritize patches and minimize exposure.
The problem affects all Linux kernels from version 4.11 on any distribution including AppArmor. With more than 12.6 million enterprise Linux instances running with AppArmor enabled by default on several major distributions, such as Ubuntu, Debian, and SUSE, immediate kernel patching is advised to mitigate this vulnerability.
“Immediate kernel patching remains a non-negotiable priority to mitigate this critical vulnerability, as temporary mitigations do not provide the same level of security assurance as restoring the vendor’s fixed code approach,” Abbasi noted.
