Researchers at Qualys have uncovered significant security bypasses in Ubuntu Linux’s user namespace restrictions, potentially allowing local attackers to exploit vulnerabilities within kernel components. The discovery has raised concerns among users of Ubuntu versions 23.10 and 24.04, where these restrictions are either active by default or enabled.
The identified bypasses let local unprivileged users create user namespaces with full administrative capabilities, which can facilitate attacks that exploit kernel vulnerabilities. According to the researchers, these bypasses could serve as entry points for attackers to gain elevated privileges within an isolated environment. As noted by Qualys, “these bypasses facilitate exploiting vulnerabilities in kernel components requiring powerful administrative privileges,” as detailed on their blog.
Qualys examined three distinct methods of bypassing the user namespace restrictions: firstly, the use of the aa-exec tool, which allows users to run programs under specific AppArmor profiles. Certain permissive profiles enable the creation of user namespaces with full capabilities. Secondly, utilizing the busybox shell, attackers can also exploit its associated AppArmor profile for unrestricted user namespace creation. Finally, the LD_PRELOAD technique allows attackers to inject a malicious shared library into trusted processes, consequently bypassing intended restrictions.
In response to these findings, Canonical, the organization behind Ubuntu, confirmed their awareness and is working on enhancements to the AppArmor protections. A representative explained that these findings are not classified as vulnerabilities but rather as limitations of the existing defense mechanisms. Canonical plans to release updates according to their standard schedule, rather than as urgent security patches. They have advised administrators to consider various hardening steps outlined in a bulletin on the Ubuntu Discourse forum.