Linux administrators running Ubuntu should take note of a recent warning regarding three vulnerabilities that allow unauthorized bypass of a security feature meant to limit unprivileged user namespaces. The revelation by researchers from Qualys highlights that despite these protections intended to enhance security, they can actually be circumvented under certain conditions.
Robert Beggs, CEO of DigitalDefence, emphasized the urgency of addressing these issues, stating that while the vulnerabilities themselves may not be catastrophic, they can be exploited in conjunction with other vulnerabilities to cause substantial harm if left unchecked. Fortunately, there have been no reported exploits actively taking advantage of these vulnerabilities in the wild.
In contrast, Johannes Ullrich from the SANS Institute has expressed a more tempered response, indicating that while the vulnerabilities could pose problems if an administrator over-relies on namespaces for security, the actual risk of harm remains limited. Organizations using tools like Ansible can incorporate the necessary changes during regular maintenance.
The complications arose following Ubuntu’s introduction of AppArmor-related security features to restrict user namespaces, which ironically failed to fully enforce intended restrictions, leading to unintended pathways for privilege escalation.
The specific techniques identified for bypassing the unprivileged user namespace restrictions include:
- Using the
aa-exectool to access pre-configured AppArmor profiles that allow namespace creation with full capabilities. - Executing a busybox shell, a pre-installed program that permits user namespaces with administrative capabilities.
- Utilizing the
LD_PRELOADenvironment variable to inject a shell into programs that are part of pre-configured profiles allowing namespace creation.
Although Ubuntu maintains these are not critical security vulnerabilities, they concede that improvements are necessary to mitigate potential risks emanating from currently unknown kernel vulnerabilities.
Recommended actions for administrators include:
- Ensuring their systems are fully updated.
- Modifying kernel settings to restrict profile changes by enabling the
kernel.apparmor_restrict_unprivileged_unconfinedsysctl. - Tightening AppArmor profiles to reduce the chance of unprivileged namespace creation.
In summary, while the recent findings might not point to immediate and widespread danger, they do underscore a need for vigilance and proactive measures to maintain the security integrity of Ubuntu systems.
