Three safety bypasses have been found in Ubuntu Linux’s unprivileged consumer namespace restrictions, which could possibly be allow a neighborhood attacker to take advantage of vulnerabilities in kernel parts.
The problems enable native unprivileged customers to create consumer namespaces with full administrative capabilities and affect Ubuntu variations 23.10, the place unprivileged consumer namespaces restrictions are enabled, and 24.04 which has them energetic by default.
Linux consumer namespaces enable customers to behave as root inside an remoted sandbox (namespace) with out having the identical privileges on the host.
Ubuntu added AppArmor-based restrictions in model 23.10 and enabled them by default in 24.04 to restrict the chance of namespace misuse.
Researchers at cloud safety and compliance firm Qualys discovered that these restrictions might be bypassed in three other ways.
“Qualys TRU uncovered three distinct bypasses of those namespace restrictions, every enabling native attackers to create consumer namespaces with full administrative capabilities,” the researchers say.
“These bypasses facilitate exploiting vulnerabilities in kernel parts requiring highly effective administrative privileges inside a confined surroundings” – Qualys
The researchers observe that these bypasses are harmful when mixed with kernel-related vulnerabilities, and they aren’t sufficient to acquire full management of the system.
Qualys supplies technical particulars for the three bypass strategiesthat are summarized as follows:
Bypass through aa-exec: Customers can exploit the aa-exec device, which permits operating packages underneath particular AppArmor profiles. A few of these profiles – like trinity, chrome, or flatpak – are configured to permit creating consumer namespaces with full capabilities. By utilizing the unshare command by way of aa-exec underneath one among these permissive profiles, an unprivileged consumer can bypass the namespace restrictions and improve privileges inside a namespace.
Bypass through busybox: The busybox shell, put in by default on each Ubuntu Server and Desktop, is related to an AppArmor profile that additionally permits unrestricted consumer namespace creation. An attacker can launch a shell through busybox and use it to execute unshare, efficiently making a consumer namespace with full administrative capabilities.
Bypass through LD_PRELOAD: This method leverages the dynamic linker’s LD_PRELOAD surroundings variable to inject a customized shared library right into a trusted course of. By injecting a shell right into a program like Nautilus – which has a permissive AppArmor profile – an attacker can launch a privileged namespace from inside that course of, bypassing the supposed restrictions.
Qualys notified the Ubuntu safety group of their findings on January 15 and agreed to a coordinated launch. Nonetheless, the busybox bypass was found independently by vulnerability researcher Roddux, who printed the main points on March 21.
Canonical’s response and mitigations
Canonical, the group behind Ubuntu Linux, has acknowledged Qualys’ findings and confirmed to BleepingComputer that they’re growing enhancements to the AppArmor protections.
A spokesperson informed us that they aren’t treating these findings as vulnerabilities per se however as limitations of a defense-in-depth mechanism. Therefore, protections shall be launched in line with normal launch schedules and never as pressing safety fixes.
In a bulletin printed on the official dialogue discussion board (Ubuntu Discourse), the corporate shared the next hardening steps that directors ought to think about:
Allow kernel.apparmor_restrict_unprivileged_unconfined=1 to dam aa-exec abuse. (not enabled by default)
Disable broad AppArmor profiles for busybox and Nautilus, which permit namespace creation.
Optionally apply a stricter bwrap AppArmor profile for purposes like Nautilus that depend on consumer namespaces.
Use aa-status to establish and disable different dangerous profiles.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend towards them.
