Three safety bypasses have been found in Ubuntu Linux’s unprivileged consumer namespace restrictions, which may very well be allow an area attacker to take advantage of vulnerabilities in kernel parts.
The problems enable native unprivileged customers to create consumer namespaces with full administrative capabilities and influence Ubuntu variations 23.10, the place unprivileged consumer namespaces restrictions are enabled, and 24.04 which has them energetic by default.
Linux consumer namespaces enable customers to behave as root inside an remoted sandbox (namespace) with out having the identical privileges on the host.
Ubuntu added AppArmor-based restrictions in model 23.10 and enabled them by default in 24.04 to restrict the danger of namespace misuse.
Researchers at cloud safety and compliance firm Qualys discovered that these restrictions will be bypassed in three alternative ways.
“Qualys TRU uncovered three distinct bypasses of those namespace restrictions, every enabling native attackers to create consumer namespaces with full administrative capabilities,” the researchers say.
“These bypasses facilitate exploiting vulnerabilities in kernel parts requiring highly effective administrative privileges inside a confined atmosphere” – Qualys
The researchers be aware that these bypasses are harmful when mixed with kernel-related vulnerabilities, and they aren’t sufficient to acquire full management of the system.
Qualys offers technical particulars for the three bypass strategies, that are summarized as follows:
- Bypass through aa-exec: Customers can exploit the aa-exec instrument, which permits working packages below particular AppArmor profiles. A few of these profiles – like trinity, chrome, or flatpak – are configured to permit creating consumer namespaces with full capabilities. Through the use of the unshare command by way of aa-exec below certainly one of these permissive profiles, an unprivileged consumer can bypass the namespace restrictions and enhance privileges inside a namespace.
- Bypass through busybox: The busybox shell, put in by default on each Ubuntu Server and Desktop, is related to an AppArmor profile that additionally permits unrestricted consumer namespace creation. An attacker can launch a shell through busybox and use it to execute unshare, efficiently making a consumer namespace with full administrative capabilities.
- Bypass through LD_PRELOAD: This system leverages the dynamic linker’s LD_PRELOAD atmosphere variable to inject a customized shared library right into a trusted course of. By injecting a shell right into a program like Nautilus – which has a permissive AppArmor profile – an attacker can launch a privileged namespace from inside that course of, bypassing the supposed restrictions.
Qualys notified the Ubuntu safety staff of their findings on January 15 and agreed to a coordinated launch. Nonetheless, the busybox bypass was found independently by vulnerability researcher Roddux, who revealed the small print on March 21.
Canonical’s response and mitigations
Canonical, the group behind Ubuntu Linux, has acknowledged Qualys’ findings and confirmed to BleepingComputer that they’re growing enhancements to the AppArmor protections.
A spokesperson informed us that they aren’t treating these findings as vulnerabilities per se however as limitations of a defense-in-depth mechanism. Therefore, protections can be launched in accordance with commonplace launch schedules and never as pressing safety fixes.
In a bulletin revealed on the official dialogue discussion board (Ubuntu Discourse), the corporate shared the next hardening steps that directors ought to take into account:
- Allow kernel.apparmor_restrict_unprivileged_unconfined=1 to dam aa-exec abuse. (not enabled by default)
- Disable broad AppArmor profiles for busybox and Nautilus, which permit namespace creation.
- Optionally apply a stricter bwrap AppArmor profile for functions like Nautilus that depend on consumer namespaces.
- Use aa-status to establish and disable different dangerous profiles.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how you can defend in opposition to them.
