Qualys has identified 9 vulnerabilities in the mandatory access control system AppArmor, with the most dangerous vulnerabilities allowing a local unprivileged user to gain root rights in the system, exit isolated containers, and bypass restrictions set through AppArmor. These vulnerabilities were named CrackArmor, and CVE identifiers have not yet been assigned. Ubuntu 24.04 and Debian 13 have been demonstrated as successful examples of privilege escalation.
The issues have been found in the AppArmor LSM module since Linux kernel 4.11, released in 2017. These vulnerabilities affect distributions such as Ubuntu, Debian, openSUSE, and SUSE. Patches addressing these vulnerabilities have been sent to Linux kernel developers and will be made available to users in upcoming updates 6.18.18, 6.19.8, 6.12.77, 6.6.130, 6.1.167, 5.15.203, and 5.10.253. Moreover, today’s Ubuntu kernel package updates already include the fix. Ubuntu has also released updates to the sudo, sudo-ldap, and util-linux packages to address flaws that could be exploited due to these vulnerabilities. Debian is currently preparing an update.
The vulnerabilities stem from a fundamental flaw in the AppArmor class “deceived “confused-deputy”, which enables unprivileged users to upload, replace, and delete arbitrary AppArmor profiles. This vulnerability can be exploited to disable protection from local and remote attacks, cause denial of service, and bypass namespace restrictions. The ability to replace AppArmor profiles can also lead to gaining root privileges by binding to utilities like su and sudo, which block access to certain system calls.
One method for obtaining root privileges involves blocking the setuid operation for the sudo utility in combination with manipulating the MAIL_CONFIG environment variable to change settings for the Postfix mail server. By seizing control