CYBERSECURITY researchers have disclosed nine security vulnerabilities in the Linux kernel’s AppArmor module, dubbed CrackArmor by the Qualys Threat Research Unit (TRU), that could be exploited by unprivileged users to bypass protections, escalate to root, and undermine container isolation. The flaws, described as confused deputy vulnerabilities, have existed since 2017 and currently have no CVE identifiers assigned.
According to Qualys TRU’s Saeed Abbasi, these flaws allow unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel, enabling local privilege escalation and potential DoS attacks. The advisory also notes that attackers could leverage interactions with tools like Sudo and Postfix, and that DoS, KASLR bypasses and arbitrary memory disclosure are possible outcomes.
The problem affects all Linux kernels since version 4.11 on any distribution that integrates AppArmor, with more than 12.6 million enterprise Linux instances operating with AppArmor enabled by default in major distros such as Ubuntu, Debian, and SUSE; immediate kernel patching is advised according to Abbasi.