Qualys Threat Research Unit discovered nine confused deputy vulnerabilities in AppArmor, a Linux security module providing mandatory access control since kernel version 2.6.36. Collectively named CrackArmor, these flaws have existed since 2017. Unprivileged users can manipulate security profiles through pseudo-files, bypass user-namespace restrictions, and execute arbitrary kernel code. The vulnerabilities enable local privilege escalation to root through interactions with tools like Sudo and Postfix, facilitate denial-of-service attacks via stack exhaustion, and bypass Kernel Address Space Layout Randomization through out-of-bounds reads. Attackers can disable critical service protections and enforce deny-all policies without proper permissions.
"This 'CrackArmor' advisory exposes a confused deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads."
"Confused deputy vulnerabilities occur when a privileged program is coerced by an unauthorized user into misusing its privileges to perform unintended, malicious actions. The problem essentially exploits the trust associated with a more-privileged tool to execute a command that leads to privilege escalation."
"Qualys said an entity that doesn't have permissions to perform an action can manipulate AppArmor profiles to disable critical service protections or enforce deny-all policies, triggering denial-of-service (DoS) attacks in the process."
#linux-kernel-vulnerabilities #apparmor-security-module #privilege-escalation #confused-deputy-attacks #container-security
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]