Features Supposed to Improve Security
Organizations using centralized configuration tools like Ansible may deploy changes with regularly scheduled maintenance or reboot windows. However, this approach may not have a significant impact on security. As Beggs stated, "there is little impact of not ‘patching’ the vulnerability."
Unintended Consequences
Ironically, last October, Ubuntu introduced AppArmor-based features to improve security by reducing the attack surface from unprivileged user namespaces in the Linux kernel. Unfortunately, this feature did not quite live up to its promise. As Beggs pointed out, "This is an unintended consequence where a security control was put in place but it isn’t fully applied, so it allows anyone to push and escalate their privileges."
Three Bypasses
Unprivileged user namespaces are a feature in the Linux kernel that are supposed to provide additional sandboxing functionality for programs such as container runtimes. This feature enables unprivileged users to gain administrator (root) permissions within a confined environment, without giving them elevated permissions on the host system. However, unprivileged user namespaces have been repeatedly used to exploit kernel vulnerabilities.
Security Hardening Measure
To address this issue, the AppArmor restriction was added to Ubuntu 23.10 and 24.04 LTS as a security hardening measure. This restriction was designed to act as a security control, preventing users from exploiting kernel vulnerabilities. However, Qualys discovered three different bypasses, each of which allows a local attacker to create user namespaces with full administrator capabilities.
Bypass 1: Escaping the Sandbox
The first bypass involves creating a new user namespace and then escaping the sandbox by using the unshare system call. This allows the attacker to gain elevated privileges and exploit kernel vulnerabilities.
Bypass 2: Spoofing the Sandbox
The second bypass involves spoofing the sandbox by creating a new user namespace and then modifying the nsproxy struct to point to the original namespace. This allows the attacker to bypass the security restrictions and gain elevated privileges.
Bypass 3: Using the setns System Call
The third bypass involves using the setns system call to switch to a new user namespace. This allows the attacker to bypass the security restrictions and gain elevated privileges.
Conclusion
In conclusion, the AppArmor-based features introduced by Ubuntu to improve security have been found to have unintended consequences. The three bypasses discovered by Qualys demonstrate that the security hardening measure implemented by Ubuntu is not effective in preventing users from exploiting kernel vulnerabilities. As a result, organizations should reconsider their approach to security and implement more robust measures to protect against kernel vulnerabilities.
FAQs
Q: What are unprivileged user namespaces?
A: Unprivileged user namespaces are a feature in the Linux kernel that provide additional sandboxing functionality for programs such as container runtimes. They enable unprivileged users to gain administrator (root) permissions within a confined environment, without giving them elevated permissions on the host system.
Q: What is the purpose of the AppArmor restriction in Ubuntu 23.10 and 24.04 LTS?
A: The AppArmor restriction was added to Ubuntu 23.10 and 24.04 LTS as a security hardening measure to prevent users from exploiting kernel vulnerabilities. However, Qualys discovered three different bypasses that allow local attackers to create user namespaces with full administrator capabilities.
Q: How do the bypasses work?
A: The bypasses involve creating a new user namespace, escaping the sandbox, spoofing the sandbox, or using the setns system call to switch to a new user namespace. Each of these bypasses allows a local attacker to create user namespaces with full administrator capabilities, enabling them to exploit kernel vulnerabilities.
Q: What are the implications of these bypasses?
A: The implications are significant, as they demonstrate that the security hardening measure implemented by Ubuntu is not effective in preventing users from exploiting kernel vulnerabilities. Organizations should reconsider their approach to security and implement more robust measures to protect against kernel vulnerabilities.
