Nine vulnerabilities in the Linux kernel’s AppArmor security module allow unprivileged users to escalate privileges to root, bypass container isolation, and execute arbitrary kernel-level code, according to researchers at Qualys Threat Research Unit.
The flaws, collectively named CrackArmor by Qualys TRU, have existed since 2017 and affect all Linux kernels from version 4.11 onward on any distribution that ships with AppArmor enabled. No CVE identifiers have been assigned. More than 12.6 million enterprise Linux instances run with AppArmor active by default, including systems running Ubuntu, Debian, and SUSE.
All nine are classified as confused deputy vulnerabilities — a class of flaw where a privileged program is manipulated by an unauthorized user into misusing its own privileges to carry out unintended actions. An attacker without the permissions to modify security configurations can coerce AppArmor into disabling critical service protections or enforcing deny-all policies, triggering denial-of-service conditions in the process.
Saeed Abbasi, senior manager of Qualys TRU, said the flaws “expose a confused deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel.” He added that the vulnerabilities enable local privilege escalation through interactions with tools like Sudo and Postfix, denial-of-service attacks via stack exhaustion, and KASLR bypasses through out-of-bounds reads.
Among the more serious consequences: an attacker can modify /etc/passwd to establish passwordless root access, disclose kernel memory addresses to enable remote exploitation chains, and create fully capable user namespaces that sidestep Ubuntu’s namespace restrictions — restrictions that AppArmor itself was meant to enforce.
Container Isolation at Risk
Policy manipulation through these flaws compromises the host system entirely, while namespace bypasses open the door to arbitrary memory disclosure. Container isolation guarantees, least-privilege enforcement, and service hardening can all be subverted by an unprivileged local user exploiting the identified weaknesses.
More Read
AppArmor has been part of the mainline Linux kernel since version 2.6.36, providing mandatory access control intended to prevent both known and unknown application flaws from being exploited. The vulnerability class disclosed here inverts that protection — turning the security module into a vector for the attacks it was designed to block.
Patches and Disclosure
Qualys says it is withholding proof-of-concept exploit code to allow administrators time to apply patches before active exploitation becomes feasible.
Abbasi was direct on the remediation priority: “Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path.” No interim workaround is considered equivalent to a full patch.
Photo by Bernd 📷 Dittrich on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
