Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

Cybersecurity researchers have found several security holes in the Linux kernel's AppArmor module that unprivileged users could use to get around kernel protections, gain root access, and break the isolation guarantees of containers This article explores apparmor linux security. . The Qualys Threat Research Unit (TRU) has given the nine confused deputy vulnerabilities the code name CrackArmor.

The cybersecurity company said the problem has been around since 2017. No CVE numbers have been given to the problems. AppArmor is a Linux security module that protects the operating system from both inside and outside threats by stopping known and unknown application flaws from being used. It does this by enforcing mandatory access control (MAC).

Since version 2.6.36, it has been a part of the mainline Linux kernel.

"This 'CrackArmor' advisory shows a flaw in the confused deputy that lets unprivileged users change security profiles through fake files, get around user-namespace restrictions, and run any code they want in the kernel," said Saeed Abbasi, senior manager of Qualys TRU. "These bugs make it easier for attackers to gain root access on a local machine by using tools like Sudo and Postfix in complicated ways. They also make it easier for attackers to launch denial-of-service attacks by running out of memory and bypassing Kernel Address Space Layout Randomization (KASLR) through out-of-bounds reads."

Confused deputy vulnerabilities happen when an unauthorized user forces a privileged program to misuse its privileges to do things that are not intended and are harmful. The problem takes advantage of the trust that comes with a more powerful tool to run a command that gives the user more privileges.

Qualys said that someone who doesn't have permission to do something can change AppArmor profiles to turn off important service protections or enforce deny-all policies, which can lead to denial-of-service (DoS) attacks. "Along with kernel-level flaws that come with profile parsing, attackers can get around user-namespace restrictions and get Local Privilege Escalation (LPE) to full root," it said. "Policy manipulation compromises the entire host, while namespace bypasses facilitate advanced kernel exploits such as arbitrary memory disclosure.

DoS and LPE capabilities result in service outages, credential tampering via passwordless root (e.g., /etc/passwd modification), or KASLR disclosure, which enables further remote exploitation chains." To make matters worse, CrackArmor enables unprivileged users to create fully‑capable user namespaces, effectively getting around Ubuntu's user namespace restrictions implemented via AppArmor, as well as subvert critical security guarantees like container isolation, least‑privilege enforcement, and service hardening. The cybersecurity company said it's withholding the release of proof-of-concept (PoC) exploits for the identified flaws to give users some time to prioritize patches and minimize exposure.

The problem affects all Linux kernels since version 4.11 on any distribution that integrates AppArmor.

More than 12.6 million enterprise Linux instances run with AppArmor turned on by default in some of the most popular distributions, like Ubuntu, Debian, and SUSE. To fix these problems right away, kernel patches should be made. Abbasi said, "Immediate kernel patching is still the most important thing to do to fix these serious security holes.

Interim mitigation doesn't provide the same level of security as restoring the vendor-fixed code path."