CrackArmor: Nine AppArmor Flaws Enable Local Root Escalation

Qualys Threat Research Unit (TRU) has disclosed nine security vulnerabilities in the Linux kernel AppArmor module that can let unprivileged users bypass protections, escalate to root, and undermine container isolation. Qualys has given the grouped issues the name CrackArmor and says the problem has existed since 2017.

AppArmor is a Linux security module that provides mandatory access control and limits what applications can do. Qualys noted AppArmor has been part of the mainline Linux kernel since version 2.6.36, and that all kernels since 4.11 on distributions that integrate AppArmor are affected.

Saeed Abbasi, senior manager of Qualys TRU, summarized the risk: “This ‘CrackArmor’ advisory exposes a confused deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel.”

Qualys describes the flaws as confused deputy vulnerabilities. Qualys explained that an attacker who cannot normally perform a privileged action can trick a more-privileged component into misusing its rights, causing profile manipulation that disables protections, enforces deny-all policies to create denial-of-service conditions, or enables privilege escalation.

According to Qualys, the issues interact with common tools and services. “These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads,” Abbasi said.

Qualys also warned that CrackArmor can allow unprivileged users to create fully capable user namespaces, bypassing AppArmor-based user namespace restrictions in distributions such as Ubuntu. That behavior can subvert container isolation, least-privilege controls, and service hardening, Qualys said.

The company is withholding proof-of-concept exploits to give administrators time to prioritize fixes. Qualys noted that no CVE identifiers had been assigned at the time of disclosure and urged administrators to act quickly. “Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path,” Abbasi said.

What administrators should do now: follow vendor advisories, apply vendor-supplied kernel updates as soon as they are available, limit unprivileged account access, and monitor critical services for unusual behavior. Qualys emphasized patching kernels on affected hosts, and recommended treating CrackArmor as a high-priority remediation item for environments running AppArmor by default.

For guidance on handling and prioritizing remediation for incidents like CrackArmor, administrators can consult this step-by-step incident response guide.

#Linux #AppArmor #CrackArmor #Vulnerability #KernelSecurity