CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root

Key Points:

• Qualys TRU has identified critical vulnerabilities in AppArmor, dubbed “CrackArmor,” allowing unprivileged users to escalate privileges to root and bypass container isolation.
• Over 12.6 million Linux systems, including Ubuntu, Debian, and SUSE, are affected, with potential impacts including denial-of-service attacks and compromised system integrity.
• Immediate kernel patching is essential; organizations should expedite maintenance windows to deploy patches and monitor for unusual changes in AppArmor profiles.

Technical Details: The vulnerabilities allow local privilege escalation through manipulation of AppArmor profiles via pseudo-files, enabling arbitrary code execution within the kernel. These flaws have existed since 2017 and affect all Linux kernels since version v4.11.

MITRE ATT&CK Techniques:

• T1068 - Exploit Public-Facing Application (Privilege Escalation)
• T1203 - User Execution (Execution)
• T1499 - Endpoint Denial of Service (Impact)

IOCs Mentioned: None mentioned.