Cybersecurity experts have identified significant security issues within the Linux kernel’s AppArmor module. These vulnerabilities, which have been present since 2017, allow unprivileged users to bypass kernel protections, escalate privileges to root, and compromise container isolation. The vulnerabilities have been dubbed ‘CrackArmor’ by the Qualys Threat Research Unit (TRU), although they currently lack CVE identifiers.
Understanding the AppArmor Module
AppArmor is a security module in Linux that enforces mandatory access control (MAC) to protect the operating system against various threats by preventing the exploitation of application vulnerabilities. It has been a part of the mainline Linux kernel since version 2.6.36. The recent findings highlight a ‘confused deputy’ flaw where users can exploit pseudo-files to manipulate security profiles, bypass user-namespace restrictions, and execute arbitrary kernel code.
Details of the CrackArmor Vulnerabilities
The vulnerabilities enable local privilege escalation to root, facilitated by complex interactions with tools like Sudo and Postfix. They also pose risks of denial-of-service attacks through stack exhaustion and the bypassing of Kernel Address Space Layout Randomization (KASLR) via out-of-bounds reads. These vulnerabilities exploit the trust associated with privileged tools to perform unauthorized, malicious actions.
Qualys warned that unauthorized users could manipulate AppArmor profiles to disable critical service protections or enforce deny-all policies, triggering DoS attacks. By exploiting kernel-level flaws in profile parsing, attackers can bypass user-namespace restrictions, leading to local privilege escalation (LPE) to full root access.
Implications and Recommendations
The CrackArmor vulnerabilities compromise entire host systems, allowing for advanced exploits such as arbitrary memory disclosure and credential tampering. They also undermine critical security guarantees, including container isolation and service hardening. Qualys has decided to withhold proof-of-concept (PoC) exploits to allow users time to prioritize patching efforts.
These vulnerabilities impact all Linux kernels since version 4.11 on distributions using AppArmor, affecting over 12.6 million enterprise Linux instances. Major distributions like Ubuntu, Debian, and SUSE are particularly vulnerable, and immediate kernel patching is strongly recommended to mitigate these risks effectively.
As per Saeed Abbasi from Qualys, interim mitigation measures do not offer the same level of security assurance as applying vendor-fixed code paths. Therefore, addressing these vulnerabilities through immediate patching is essential to neutralize potential threats.
