"The vulnerabilities exploit a confused deputy attack. An unauthorized user can manipulate a privileged process to perform actions on their behalf, without having the necessary rights themselves. Specifically, attackers abuse tools such as Sudo or Postfix to modify AppArmor profiles via pseudo-files such as /sys/kernel/security/apparmor/.load and .replace."
"This bypasses user-namespace restrictions and allows arbitrary code to run in the kernel. Consequences include local privilege escalation (LPE) to root, denial-of-service via stack exhaustion, and KASLR bypasses via out-of-bounds reads. Container isolation is also no longer guaranteed as a result."
"CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn't enough; we must re-examine our entire assumption of what 'default' configurations mean for our infrastructure."
Nine critical vulnerabilities in AppArmor, a Linux Security Module standard on Ubuntu, Debian, and SUSE, have been discovered by Qualys researchers and collectively named CrackArmor. These flaws have existed since 2017 in kernel version v4.11 and affect over 12.6 million enterprise Linux instances globally. The vulnerabilities exploit confused deputy attacks, allowing unauthorized users to manipulate privileged processes like Sudo or Postfix to modify AppArmor profiles through pseudo-files. This enables arbitrary kernel code execution, local privilege escalation to root, denial-of-service attacks via stack exhaustion, KASLR bypasses, and compromised container isolation. Proof of concept exploits have been developed and shared with security teams to accelerate patching efforts.
#apparmor-vulnerabilities #linux-kernel-security #privilege-escalation #container-security #crackarmor-advisory
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]