Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
Combined with other vulnerabilities, the flaws could lead to full system access


The Qualys Threat Research Unit (TRU) says it has uncovered three flaws in Ubuntu's unprivileged user namespace restrictions that could allow a local attacker to gain full administrative capabilities.
Linux distributions generally allow unprivileged users to create namespaces that help in creating containers and additional sandboxing functionality for programs such as container runtimes, but that also creates a weak spot.
"Most major Linux distributions permit unprivileged users to create namespaces in which they effectively gain full administrative rights," said Saeed Abbasi, manager, vulnerability research, at Qualys. "While beneficial for creating containers and sandboxes, this significantly expands the kernel's attack surface."
While the three bypasses uncovered by Qualys don't enable complete system takeover by themselves, they do present risks when combined with other vulnerabilities, typically kernel-related, making them exploitable by unprivileged users.
Each would allow a local attacker to create user namespaces with full administrative capabilities. Attackers could then use these namespaces to gain administrative privileges, allowing them to exploit vulnerabilities in kernel components and open up other attacks to allow threat actors to get full system access.
An unprivileged local attacker, said Qualys, can simply use the aa-exec tool, which is installed by default on Ubuntu, to transition to one of the many pre-configured AppArmor profiles that allow the creation of user namespaces with full capabilities.
They can first execute a busybox shell, again installed by default, which allows the creation of user namespaces with full capabilities. They can also LD_PRELOAD a shell into one of the programs whose pre-configured AppArmor profile does allow this.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Qualys disclosed the vulnerabilities to the Ubuntu Security Team on January 15, and said it's been working with Ubuntu since then.
According to Ubuntu, installations can be strengthened and the first two bypasses mitigated through restricting unprivileged unconfined profile changes by making sure the kernel 'apparmor_restrict_unprivileged_unconfined sysctl' setting is enabled.
Broad AppArmor profiles should be removed, said Ubuntu, and the bwrap profile used by the Nautilus file manager should be defined, based on the one from the AppArmor repository.
"In addition to preparing extensive documentation that explains the nuances behind the AppArmor hardening functionality, we are developing new features that will further decrease the attack surface in the event of unforeseen Linux kernel vulnerabilities," said Ubuntu.
"The current issues with the above mitigations will be addressed via new AppArmor features and made available by default on standard installations. These will be selectively backported to supported Ubuntu releases via Stable Release Updates or introduced in new releases."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Geekom Mini IT13 Review
Reviews It may only be a mild update for the Mini IT13, but a more potent CPU has made a good mini PC just that little bit better
By Alun Taylor
-
Why AI researchers are turning to nature for inspiration
In-depth From ant colonies to neural networks, researchers are looking to nature to build more efficient, adaptable, and resilient systems
By David Howell