Key Points:
• Linux admins using Ubuntu environments with unprivileged user namespace restriction may be vulnerable to three new exploits that bypass the supposed protection.
• Qualys researchers found three ways to bypass this feature, allowing a local attacker to create user namespaces with full administrator capabilities.
• Ubuntu claims these are not security vulnerabilities, but rather limitations in the feature that can be addressed with hardening steps.
As a reporter, I’m here to inform you that Linux admins who have enabled the unprivileged user namespace restriction in their Ubuntu environments should take action to close three new vulnerabilities that allow a threat actor to bypass the supposed protection. This warning comes from researchers at Qualys, who found three different ways this hardening feature can, under certain circumstances, be bypassed.
According to Robert Beggs, CEO of Canadian incident response firm DigitalDefence, "it facilitates other exploits. By itself, not a major thing. But if something else comes out it can be chained to these [vulnerabilities] and cause a lot of damage." However, Johannes Ullrich, dean of research at the SANS Institute, is not as concerned, noting that "the vulnerability is not very serious in that it does not allow access to any privileges a user may have without namespaces."
Last October, Ubuntu introduced AppArmor-based features to improve security, but it seems that this feature has an unintended consequence. "This is an unintended consequence where a security control was put in place but it isn’t fully applied," said Beggs. "So it allows anyone to push and escalate their privileges."
The three bypasses discovered by Qualys allow an unprivileged local attacker to:
- Use the aa-exec tool to transition to a pre-configured AppArmor profile that allows the creation of user namespaces with full capabilities
- Execute a busybox shell, which is installed by default on Ubuntu, and is one of the programs whose pre-configured AppArmor profile does allow the creation of user namespaces with full capabilities
- LD_PRELOAD a shell into one of the programs whose pre-configured AppArmor profile does allow the creation of user namespaces with full capabilities
Not security vulnerabilities, according to Ubuntu. "These are not security vulnerabilities," says Ubuntu. "As Ubuntu installations benefit from an extra layer of hardening with the AppArmor protections, despite the limitations identified [by Qualys]."
To mitigate these bypasses, Ubuntu recommends that sysadmins:
- Make sure their Ubuntu installations are fully patched
- Change the Linux kernel setting to limit unprivileged profile changes
- Restrict the AppArmor profile
As a precautionary measure, Beggs recommends that sysadmins "make sure their Ubuntu installations are fully patched, change the Linux kernel setting to limit unprivileged profile changes, and restrict the AppArmor profile." Ubuntu ships with default unconfined profiles for several applications that allow the creation of user namespaces.
Read the rest: Source Link
You might also like: How to get Windows Server 2022, Try Windows 11 Pro for Workstations & browse Windows Azure content.
Remember to like our facebook and our twitter @WindowsMode for a chance to win a free Surface every month.
Discover more from Windows Mode
Subscribe to get the latest posts sent to your email.