Critical AppArmor Vulnerabilities Expose Linux Systems to Root-Level Attacks

In a comprehensive security advisory, Qualys researchers have revealed multiple critical vulnerabilities in AppArmor, the Linux Security Module (LSM) that provides mandatory access control and is enabled by default in major distributions including Ubuntu, Debian, and SUSE. These vulnerabilities collectively represent one of the most significant security threats to Linux systems in recent years, allowing unprivileged local attackers to completely compromise system security.

The Confused Deputy Problem: A Fundamental Flaw

At the core of the discovered vulnerabilities lies what researchers term a "confused deputy problem" – a fundamental design flaw in AppArmor's permission model. The pseudo-files used to manage AppArmor profiles (.load, .replace, and .remove) are world-writable (mode 0666), meaning any local user can open them for writing. While direct writing by unprivileged users fails with permission denied, researchers discovered a clever bypass technique.

By leveraging the behavior of privileged programs like su in pty mode, attackers can trick these programs into writing controlled strings to AppArmor's management interfaces. This technique, reminiscent of historical Linux kernel vulnerabilities like CVE-2012-0056 (Mempodipper), allows attackers to:

• Remove existing security profiles: Attackers can disable protections for critical services like cupsd and rsyslogd
• Load restrictive profiles: By implementing "deny all" policies for services like sshd, attackers can create denial-of-service conditions
• Bypass Ubuntu's user-namespace restrictions: Even when publicly known bypasses have been patched, attackers can create user namespaces with full capabilities

From Profile Manipulation to Root Privilege Escalation

The most concerning aspect of these vulnerabilities is how they can be transformed into full root privilege escalation. Researchers demonstrated multiple attack vectors:

User-Space LPE: The AppArmor + Sudo + Postfix Attack Chain

In one particularly ingenious exploit, researchers combined three components:

1. An AppArmor profile that denies the CAP_SETUID capability to sudo
2. The sudo program's behavior of sending email notifications when errors occur
3. The Postfix mail server's vulnerability to command execution via environment variables

The attack sequence involves:

• Loading a restrictive AppArmor profile that prevents sudo from dropping privileges
• Executing sudo with a malicious MAIL_CONFIG environment variable
• When sudo fails to open its configuration file due to the AppArmor restrictions, it attempts to send an error notification
• This triggers Postfix to execute arbitrary commands as root

This "fail-open" scenario allows attackers to gain root privileges despite the security restrictions.

Kernel-Space Vulnerabilities

Beyond user-space exploits, researchers discovered multiple kernel vulnerabilities in AppArmor's code that can be triggered through profile manipulation:

Uncontrolled Recursion

AppArmor allows nested subprofiles (e.g., myprofile//mysubprofile). When removing a profile with deeply nested subprofiles, AppArmor's kernel code enters an uncontrolled recursion that exhausts the kernel stack, causing a complete system crash. While primarily a denial-of-service vulnerability, this demonstrates the potential for more severe kernel exploits.

Out-of-Bounds Read

A flaw in AppArmor's DFA (Deterministic Finite Automaton) matching code allows attackers to read up to 64KB of kernel memory. By crafting specially designed AppArmor profiles, researchers could disclose kernel pointers randomized by KASLR, potentially bypassing other security mitigations.

Use-After-Free

Perhaps the most sophisticated vulnerability involves a use-after-free in AppArmor's profile loading mechanism. By exploiting a race condition between file operations and profile removal, attackers can:

1. Trigger the freeing of an aa_loaddata structure
2. Reallocate the memory as page table entries
3. Modify these entries to gain write access to otherwise protected memory
4. Overwrite critical files like /etc/passwd to create a root account

This exploit works despite the CONFIG_RANDOM_KMALLOC_CACHES mitigation, which was designed to prevent such cross-cache attacks.

Double-Free

Another kernel vulnerability involves a double-free in the aa_replace_profiles() function when handling namespace specifications. By carefully timing profile replacements, attackers can free the same memory twice, leading to potential arbitrary code execution in kernel space.

Impact and Implications

The discovery of these vulnerabilities has profound implications for Linux security:

1. Widespread Exposure: AppArmor is enabled by default in major Linux distributions, affecting millions of systems
2. Privilege Escalation: Multiple attack paths lead to complete root compromise
3. Security Bypass: Attackers can disable security protections and bypass kernel restrictions
4. Persistence: By removing security profiles, attackers can maintain persistence on compromised systems

The vulnerabilities highlight a concerning trend in security research: as operating systems become more secure, attackers are finding creative ways to bypass security mechanisms by targeting their implementation rather than their design.

Mitigation and Response

Following responsible disclosure practices, Qualys worked with distribution vendors and the Linux kernel community to develop patches. The vulnerabilities have been fixed in the Linux kernel with the following patches:

• "apparmor: validate DFA start states are in bounds in unpack_pdb"
• "apparmor: fix memory leak in verify_header"
• "apparmor: replace recursive profile removal with iterative approach"
• "apparmor: fix: limit the number of levels of policy namespaces"
• "apparmor: fix side-effect bug in match_char() macro usage"
• "apparmor: fix missing bounds check on DEFAULT table in verify_dfa()"
• "apparmor: Fix double free of ns_name in aa_replace_profiles()"
• "apparmor: fix unprivileged local user can do privileged policy management"
• "apparmor: fix differential encoding verification"
• "apparmor: fix race on rawdata dereference"
• "apparmor: fix race between freeing data and fs accessing it"

System administrators are urged to apply kernel updates promptly. The patches have been incorporated into the mainline Linux kernel and should appear in distribution updates soon.

Broader Context

This research exemplifies the evolving nature of security research in Linux systems. As basic vulnerabilities become harder to find, researchers are digging deeper into complex subsystems and finding subtle flaws that can have catastrophic consequences.

The advisory also highlights the importance of the Linux kernel security community's coordinated disclosure process, which helped ensure patches were developed and distributed before public disclosure. This vulnerability serves as a reminder that even mature, widely-used security mechanisms can contain critical flaws that require ongoing vigilance from both developers and researchers.

For more technical details on these vulnerabilities, refer to the Qualys Security Advisory and the associated Linux kernel patches.