Multiple critical vulnerabilities in Linux AppArmor module allow unprivileged users to escalate to root, bypass container isolation, and undermine kernel protections since 2017.
The Linux kernel's AppArmor security module contains nine critical vulnerabilities that enable unprivileged users to escalate to root privileges and bypass container isolation, according to researchers from Qualys Threat Research Unit.
These confused deputy vulnerabilities, collectively codenamed CrackArmor, have existed since 2017 and affect all Linux kernels since version 4.11 on distributions that use AppArmor, including Ubuntu, Debian, and SUSE.
How CrackArmor Works
Confused deputy vulnerabilities occur when a privileged program is manipulated by an unauthorized user into misusing its privileges. In this case, unprivileged users can exploit AppArmor's profile parsing to:
- Manipulate security profiles via pseudo-files
- Bypass user-namespace restrictions
- Execute arbitrary code within the kernel
- Escalate to root privileges
- Undermine container isolation guarantees
Technical Impact
The vulnerabilities enable attackers to:
- Disable critical service protections or enforce deny-all policies, triggering denial-of-service attacks
- Create fully-capable user namespaces, bypassing Ubuntu's user namespace restrictions
- Subvert container isolation and least-privilege enforcement
- Modify system files like
/etc/passwdfor passwordless root access - Bypass Kernel Address Space Layout Randomization (KASLR)
Affected Systems
With over 12.6 million enterprise Linux instances running AppArmor by default across major distributions, the scope is substantial. The vulnerabilities affect:
- All Linux kernels since version 4.11
- Ubuntu, Debian, SUSE, and other distributions using AppArmor
- Containerized environments relying on AppArmor for isolation
- Systems using AppArmor for service hardening
Mitigation Required
Qualys has withheld proof-of-concept exploits to give users time to patch. The company emphasizes that immediate kernel patching is the only effective mitigation. Interim workarounds do not provide the same security assurance as vendor-fixed code.
Broader Context
This discovery highlights the ongoing challenges in Linux security modules and container isolation. As container adoption grows, vulnerabilities in foundational security components like AppArmor become increasingly critical. The fact that these flaws have existed since 2017 underscores the importance of regular security audits and kernel updates.
For organizations running Linux with AppArmor enabled, checking kernel versions and applying the latest security patches should be a top priority. The combination of local privilege escalation and container bypass capabilities makes these vulnerabilities particularly dangerous in multi-tenant environments and cloud infrastructure.
The research demonstrates how complex interactions between security modules and kernel features can create unexpected attack surfaces, even in well-established security frameworks like AppArmor.
Comments
Please log in or register to join the discussion