


New Ubuntu Linux Security Bypasses Require Manual Mitigations (bleepingcomputer.com) 14
An anonymous reader shared this report from BleepingComputer:
Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...
Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.
Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.
Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.
Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.
More like corporate Windoze (Score:4, Interesting)
Re: (Score:2)
or is it RedHat?
Not open source anymore, closer to Apple... the core is open source (ironically in Apple's case, core, get it?), and wrapped in a crunchy layer of proprietary software...
Re: More like corporate Windoze (Score:1)
Re: (Score:2)
Re: (Score:2)
Funny how cretins like you always tell others directly what you are. Also funny, how such cretins are universally too dumb to see that.
Re: (Score:2)
If unprivileged user namespaces are considered such a clusterfuck that it's considered a security risk for applications being able to bypass access controls for them, then they probably need access controls.
Re: More like corporate Windoze (Score:2)
Re: (Score:2)
The issue is attack surface and making codepaths formerly only reachable by root reachable by users.
To quote the Ubuntu developers "In a report from Google, 44% of the exploits they saw required unprivileged user namespaces as part of their exploit chain.".
Re: (Score:2)
Indeed. It is also cheap, because you do not have to think about what you did wrong in the first place. But all it does is add technological debt.
Linux is not Ubuntu (Score:3)
Does this compromise ALL Linux?
Re: (Score:2)
No, it's a sandbox escape attack against AppArmor specifically. I haven't looked to see if it affects AppArmor in general or Ubuntu's configuration specifically. SELinux isn't affected.
Re:Linux is not Ubuntu (Score:4, Informative)
Does this compromise ALL Linux?
AppArmor is used with a subset of the various Linux distributions. Ubuntu, and (legacy) OpenSUSE (OpenSUSE is moving to SELinux moving forward) are, perhaps, the most well known distributions using AppArmor.
There are various advantages of AppArmor vs SELinux (and vice versa). As is usually the case, Linux offers options, and as always, for any specific use case, your options will vary and be more interesting.
I do wonder if Ubuntu will end up continuing to be the last remaining major enterprise targeted distro using AppArmor rather than SELinux. There is more to life than enterprise targeted distros, but that is where the real money is.
Re: Linux is not Ubuntu (Score:2)