The Qualys Threat Research Unit (TRU) has identified nine vulnerabilities in AppArmor, a Linux Security Module.
The vulnerability has been present since 2017 (version v4.11). AppArmor is the default mandatory access control system for Ubuntu, Debian, SUSE, and several cloud platforms. Its presence in all these systems and its use in all these platforms make the threat landscape much wider.
This vulnerability, disclosed in the “CrackArmor” advisory, is a confused deputy vulnerability. It allows unprivileged users to manipulate security profiles via pseudo-files and to execute arbitrary kernel code.
These weaknesses, in turn, lead to local privilege escalation to the root account through intricate interactions with tools like Sudo and Postfix, as well as denial-of-service via stack exhaustion and a Kernel Address Space Layout Randomization bypass via out-of-bounds reads.
In essence, the above discoveries reveal the shortcomings in our dependency on default security assumptions, which essentially undermine the confidentiality, integrity, and availability of systems worldwide, thereby extending the exploitability window of the legacy systems.
Qualys CyberSecurity Asset Management analysis quantifies the scope: over 12.6 million enterprise Linux instances operate with AppArmor enabled by default.
“TRU has developed Proof of Concepts (PoCs) demonstrating the full exploitation chain for the CrackArmor vulnerabilities. As part of our coordinated disclosure process, we developed working exploits and proof-of-concept demonstrations, which we shared with the security team to facilitate immediate remediation efforts,” researchers said.
Qualys added that while it withholds public release of exploit code to prioritize patch deployment and minimize risk exposure to unpatched environments, the technical nature of these flaws allows for independent validation by the security community. “Consequently, transparency regarding the vulnerability mechanics remains critical to ensuring global infrastructure resilience.”
The immediate patching of kernel code remains a non-negotiable priority to effectively mitigate these critical vulnerabilities, as it does not provide the same assurance as having the code path updated by the vendor, researchers added.
IT and security operations leadership must accelerate emergency maintenance window schedules to immediately patch kernels, as well as maintain business as usual, while ensuring that the root cause of this critical privilege escalation vulnerability is eradicated.
“These discoveries highlight critical gaps in how we rely on default security assumptions. CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn’t enough; we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure,” says Dilip Bachwani, CTO at Qualys
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.