The Qualys Threat Research Unit (TRU) says it has uncovered three flaws in Ubuntu's unprivileged user namespace restrictions that could allow a local attacker to gain full administrative capabilities.
Linux distributions generally allow unprivileged users to create namespaces that help in creating containers and additional sandboxing functionality for programs such as container runtimes, but that also creates a weak spot.
"Most major Linux distributions permit unprivileged users to create namespaces in which they effectively gain full administrative rights," said Saeed Abbasi, manager, vulnerability research, at Qualys. "While beneficial for creating containers and sandboxes, this significantly expands the kernel's attack surface."
While the three bypasses uncovered by Qualys don't enable complete system takeover by themselves, they do present risks when combined with other vulnerabilities, typically kernel-related, making them exploitable by unprivileged users.
Each would allow a local attacker to create user namespaces with full administrative capabilities. Attackers could then use these namespaces to gain administrative privileges, allowing them to exploit vulnerabilities in kernel components and open up other attacks to allow threat actors to get full system access.
An unprivileged local attacker, said Qualys, can simply use the aa-exec tool, which is installed by default on Ubuntu, to transition to one of the many pre-configured AppArmor profiles that allow the creation of user namespaces with full capabilities.
They can first execute a busybox shell, again installed by default, which allows the creation of user namespaces with full capabilities. They can also LD_PRELOAD a shell into one of the programs whose pre-configured AppArmor profile does allow this.
Qualys disclosed the vulnerabilities to the Ubuntu Security Team on January 15, and said it's been working with Ubuntu since then.
According to Ubuntu, installations can be strengthened and the first two bypasses mitigated through restricting unprivileged unconfined profile changes by making sure the kernel 'apparmor_restrict_unprivileged_unconfined sysctl' setting is enabled.
Broad AppArmor profiles should be removed, said Ubuntu, and the bwrap profile used by the Nautilus file manager should be defined, based on the one from the AppArmor repository.
"In addition to preparing extensive documentation that explains the nuances behind the AppArmor hardening functionality, we are developing new features that will further decrease the attack surface in the event of unforeseen Linux kernel vulnerabilities," said Ubuntu.
"The current issues with the above mitigations will be addressed via new AppArmor features and made available by default on standard installations. These will be selectively backported to supported Ubuntu releases via Stable Release Updates or introduced in new releases."
