The AppArmor Linux kernel security module used notably by Ubuntu Linux and currently maintained by Canonical has been affected by several vulnerabilities made public today.
Qualys researchers discovered vulnerabilities within the AppArmor code of the Linux kernel they are calling CrackArmor. Some issues can lead to denial of service to kernel memory information leaks but when paired with a sudo discovery can together lead to local privilege escalation.
This evening on the Ubuntu Blog is publicizing these AppArmor security vulnerabilities and the important fixes. Updates for all affected Ubuntu Linux releases are rolling out.
This tracking ticket sums up the AppArmor kernel fixes as:
– apparmor: validate DFA start states are in bounds in unpack_pdb
– apparmor: fix memory leak in verify_header
– apparmor: replace recursive profile removal with iterative approach
– apparmor: fix: limit the number of levels of policy namespaces
– apparmor: fix side-effect bug in match_char() macro usage
– apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
– apparmor: Fix double free of ns_name in aa_replace_profiles()
– apparmor: fix unprivileged local user can do privileged policy management
– apparmor: fix differential encoding verification
– apparmor: fix race on rawdata dereference
– apparmor: fix race between freeing data and fs accessing it
Where it gets nasty is this issue for sudo that can in turn lead to privilege escalations for local users.
There was also discovered to be unsafe behavior within the su utility that can lead to the exploitation of the AppArmor vulnerabilities in host deployments. So hardening to su is also being carried out.
The sudo issue affects Ubuntu Linux releases back to Ubuntu 22.04 LTS. For the su hardening in util-linux that goes back to Ubuntu 20.04 LTS.
More details on the Qualys “CrackArmor” discovery for these AppArmor issues can be found via this advisory bulletin.
