A set of newly identified vulnerabilities in the Linux security module AppArmor, collectively named CrackArmor, could allow attackers to gain root access, bypass protections and trigger service outages across millions of systems, according to Infosecurity Magazine. The flaws were discovered by the Qualys Threat Research Unit (TRU), with nine issues identified that have existed in the Linux kernel since version 4.11 in 2017.
Because AppArmor is enabled by default in widely used distributions such as Ubuntu, Debian and SUSE, the exposure is extensive, and Qualys estimates more than 12.6 million enterprise Linux systems currently run with AppArmor active. The vulnerabilities stem from a confused deputy flaw that lets an unprivileged local user manipulate AppArmor profiles, potentially executing arbitrary code by exploiting pseudo-files within the kernel, with attackers not needing administrative credentials to exploit some scenarios.
Qualys researchers have developed proof-of-concept exploits but have not released the code publicly, and, according to Qualys CTO, Dilip Bachwani, CrackArmor proves that even entrenched protections can be bypassed without admin credentials, with organisations urged to apply vendor kernel updates and treat the Ubuntu advisory as urgent. CVE identifiers have not yet been assigned, as fixes for the upstream kernel are typically incorporated into stable releases.