Canonical's AppArmor security module in Ubuntu Linux has been affected by multiple vulnerabilities that could allow local privilege escalation when combined with sudo issues.
Ubuntu's AppArmor security module, a critical component of the Linux kernel's security framework, has been affected by multiple vulnerabilities that could allow local privilege escalation when combined with sudo issues.
Critical Vulnerabilities Discovered in AppArmor
The AppArmor Linux kernel security module, notably used by Ubuntu Linux and maintained by Canonical, has been affected by several vulnerabilities made public today by Qualys researchers. These issues, collectively dubbed "CrackArmor," range from denial of service vulnerabilities to kernel memory information leaks.
When paired with a sudo discovery, these vulnerabilities can together lead to local privilege escalation, representing a significant security concern for Ubuntu deployments.
Scope of the Security Issues
The vulnerabilities affect AppArmor code within the Linux kernel and include:
- Memory leaks in header verification
- Recursive profile removal issues
- Policy namespace level limitations
- Side-effect bugs in character matching macros
- Missing bounds checks in DFA verification
- Double free vulnerabilities in namespace handling
- Race conditions between data freeing and filesystem access
- Differential encoding verification flaws
Ubuntu's Response and Fixes
Canonical has been quick to respond to these security concerns. Updates for all affected Ubuntu Linux releases are rolling out as we speak. The Ubuntu Blog has published detailed information about these AppArmor security vulnerabilities and the critical fixes being implemented.
The Sudo Connection
Where the situation becomes particularly concerning is the interaction with sudo. The researchers discovered that when combined with sudo vulnerabilities, the AppArmor issues can lead to privilege escalations for local users. This combination creates a more severe threat vector than either issue alone.
Additional Hardening Measures
Beyond the AppArmor fixes, there was also discovered to be unsafe behavior within the su utility that can lead to the exploitation of the AppArmor vulnerabilities in host deployments. As a result, hardening to su is also being carried out.
The sudo issue affects Ubuntu Linux releases back to Ubuntu 22.04 LTS, while the su hardening in util-linux goes back to Ubuntu 20.04 LTS, ensuring broad coverage across supported Ubuntu versions.
Technical Details of the Fixes
The AppArmor kernel fixes address numerous specific issues:
- Validation of DFA start states to ensure they're within bounds during unpacking
- Memory leak fixes in header verification
- Replacement of recursive profile removal with iterative approaches
- Limits on policy namespace levels to prevent abuse
- Bounds checking on DEFAULT table in DFA verification
- Fixes for double free of ns_name in profile replacement
- Prevention of unprivileged local users from performing privileged policy management
- Fixes for differential encoding verification
- Race condition fixes between data freeing and filesystem access
Impact and Mitigation
For system administrators and Ubuntu users, this represents a critical security update that should be applied immediately. The combination of AppArmor vulnerabilities with sudo issues creates a particularly dangerous scenario where local users could potentially escalate their privileges on affected systems.
More details on the Qualys "CrackArmor" discovery for these AppArmor issues can be found via this advisory bulletin
The coordinated response from Canonical, including updates for all affected releases and additional hardening of related utilities like su, demonstrates the severity with which these vulnerabilities are being treated. System administrators should prioritize applying these updates to ensure their Ubuntu systems remain secure against potential privilege escalation attacks.
Comments
Please log in or register to join the discussion