Linux admins who have enabled the unprivileged user namespace restriction in their recent Ubuntu environments should take action to close three new vulnerabilities that allow a threat actor to bypass the supposed protection.
This warning comes after researchers at Qualys found three different ways this hardening feature can, under certain circumstances, be bypassed.
“It needs to be addressed quickly,” said Robert Beggs, CEO of Canadian incident response firm DigitalDefence, which has several Ubuntu-based applications in its portfolio, “because it facilitates other exploits. By itself, not a major thing. But if something else comes out it can be chained to these [vulnerabilities] and cause a lot of damage.”
So far, he said, there isn’t an exploit in the wild.
However, Johannes Ullrich, dean of research at the SANS Institute, is not as concerned.
“The vulnerability is not very serious in that it does not allow access to any privileges a user may have without namespaces,” he noted. “But it can be a problem if an administrator relies on namespaces for additional security.”
Thus, “there is little impact of not ‘patching’ the vulnerability,” he said. “Organizations using centralized configuration tools like Ansible may deploy these changes with regularly scheduled maintenance or reboot windows.”
Features supposed to improve security
Ironically, last October Ubuntu introduced AppArmor-based features to improve security by reducing the attack surface from unprivileged user namespaces in the Linux kernel. It didn’t quite do that.
“This is an unintended consequence where a security control was put in place but it isn’t fully applied,” said Beggs, “so it allows anyone to push and escalate their privileges.”
Three bypasses
Unprivileged user namespaces are a feature in the Linux kernel that are supposed to provide additional sandboxing functionality for programs such as container runtimes, says Ubuntu. It enables unprivileged users to gain administrator (root) permissions within a confined environment, without giving them elevated permissions on the host system.
However, unprivileged user namespaces have been repeatedly used to exploit kernel vulnerabilities, so the AppArmor restriction added to Ubuntu 23.10 and 24.04 LTS was supposed to act as a security hardening measure.
But Qualys discovered three different bypasses, each of which allows a local attacker to create user namespaces with full administrator capabilities, and therefore to still exploit vulnerabilities in kernel components that require capabilities such as CAP_SYS_ADMIN or CAP_NET_ADMIN:
- an unprivileged local attacker can simply use the aa-exec tool (which is installed by default on Ubuntu) to transition to one of the many pre-configured AppArmor profiles that do allow the creation of user namespaces with full capabilities (for example, the chrome, flatpak, or trinity profile);
- an unprivileged local attacker can first execute a busybox shell, which is installed by default on Ubuntu, and is one of the programs whose pre-configured AppArmor profile does allow the creation of user namespaces with full capabilities.
- an unprivileged local attacker can LD_PRELOAD a shell into one of the programs whose pre-configured AppArmor profile does allow the creation of user namespaces with full capabilities (for example, Nautilus is installed by default on Ubuntu Desktop).
Note that such a bypass allows an unprivileged user to obtain full capabilities inside a namespace, not on the host outside a namespace.
Not security vulnerabilities, says Ubuntu
“These are not security vulnerabilities,” says Ubuntu in a blog, “as Ubuntu installations benefit from an extra layer of hardening with the AppArmor protections, despite the limitations identified [by Qualys].”
“While a superficial observation of the application of user namespaces may indicate privileged (root level) access, this is a fictitious state that is operating as expected, with access control still mapped to the real (root namespace) user’s permissions. As such, these bypasses do not enable more access than what the default Linux kernel unprivileged user namespace feature allows in most Linux distributions. They do, however, demonstrate limitations that we are looking to address in order to strengthen existing protections against as-of-yet-unknown Linux kernel vulnerabilities.”
Ubuntu says admins of releases after version 23.10 can apply further hardening steps to mitigate the first two bypasses; these will be enabled by default in future releases.
Recommended action
Beggs recommends that sysadmins:
- make sure their Ubuntu installations are fully patched;
- change the Linux kernel setting to limit unprivileged profile changes. Do this by making sure the kernel.apparmor_restrict_unprivileged_unconfined sysctl setting is enabled;
- restrict the AppArmor profile. Ubuntu ships with default unconfined profiles for several applications that allow the creation of user namespaces.
Source:: Network World