From profile manipulation to root shell: The blog post detailed a full privilege escalation chain demonstrated on a default Ubuntu Server installation with the Postfix mail server. By loading a crafted security profile that blocks a specific privilege-dropping capability in Sudo, the researchers said they forced Sudo into a “fail-open” condition: unable to shed its root privileges before invoking the system’s mail agent, Sudo runs the process as root while preserving the attacker’s environment.The result is arbitrary command execution as root, the researchers wrote.”These findings expose critical gaps in our reliance on default security assumptions,” the blog post said. “It fundamentally undermines system confidentiality, integrity, and availability globally.””CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials,” Qualys CTO Dilip Bachwani said in the blog post. “For CISOs, this means patching alone isn’t enough; we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure.”This is not the first time Qualys researchers have uncovered serious privilege escalation vulnerabilities in default Linux components. In 2022, the company disclosed two flaws in Snap, Ubuntu’s universal application packaging system, that similarly allowed a low-privileged user to execute malicious code as root.
Kernel-level bugs compound the risk: Beyond the profile-manipulation vector, Qualys said it identified four kernel-level vulnerabilities within AppArmor’s own code. One flaw can be exploited to crash the entire system by forcing a reboot, the advisory said.Another one allows an attacker to read protected kernel memory, exposing internal addresses that security mitigations are designed to hide and making follow-on exploits easier to execute. Two other vulnerabilities were each demonstrated as independent paths to full root access, even on systems with modern exploit mitigations enabled by default, the blog post said.AppArmor has previously been cited as a key mitigating control against other Linux vulnerabilities. When the Dirty Pipe privilege escalation flaw threatened container environments in 2022, AppArmor was among the hardening measures recommended to limit exposure.
No CVE numbers, but patches are available: No CVE identifiers have been assigned to any of the nine vulnerabilities as of publication. The Linux kernel CVE assignment process intentionally delays issuing identifiers until one to two weeks after a fix lands in a stable release, the researchers said in the blog post. “Don’t let the absence of a CVE number downplay the significance,” the researchers wrote in the blog post. “If you’re running affected versions, treat this advisory seriously and update accordingly.”The company added that patches were published in Linus Torvalds’ upstream kernel tree on March 12, following a coordinated disclosure process involving Ubuntu’s security team, Canonical’s AppArmor developers, Debian, SUSE, and Sudo’s maintainer that stretched over eight months. “Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities,” the researchers wrote in the blog post.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4145539/nine-critical-vulnerabilities-in-linux-apparmor-put-over-12m-enterprise-systems-at-risk.html
