嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要快速浏览文章内容。看起来是关于Linux AppArmor的一个安全漏洞,叫做CrackArmor。研究人员发现了九个漏洞,这些漏洞可以让无权限的用户绕过保护机制,获得root权限,甚至影响容器隔离。 接下来,我需要提取关键信息:AppArmor是什么?它是一个Linux的安全模块,用于强制执行行为规则,保护系统免受已知和未知威胁的攻击。这个模块从Linux内核2.6.36开始就有,并且由Canonical支持开发。 然后是漏洞的影响:这些漏洞存在了六年之久,影响超过1260万个Linux系统。攻击者可以利用这些漏洞进行权限提升、代码执行或拒绝服务攻击。研究人员已经开发了概念验证的exploit,但没有公开发布以减少风险。 最后是建议:没有CVE编号,但强烈建议立即修补Linux内核。这些漏洞可能被国家资助的黑客利用,因此修补和监控至关重要。 现在我要把这些信息浓缩到100字以内。要包括AppArmor的作用、CrackArmor漏洞的数量、影响范围、攻击者的能力以及建议的补救措施。 可能的结构:研究人员发现AppArmor中的九个CrackArmor漏洞,允许无权限用户绕过保护机制、提升权限至root,并削弱容器隔离。这些漏洞影响超过1260万个系统,建议立即修补内核以缓解风险。 检查字数是否在限制内,并确保信息准确且完整。 </think> 研究人员发现Linux AppArmor中的九个“CrackArmor”漏洞(存在六年),允许无特权用户绕过安全保护、提升权限至root并削弱容器隔离。这些漏洞影响超过1260万个系统,建议立即修补内核以缓解风险。 2026-3-16 08:5:9 Author: securityaffairs.com(查看原文) 阅读量:16 收藏
Unprivileged users could exploit AppArmor bugs to gain root access
Researchers found nine “CrackArmor” flaws in Linux AppArmor that could let unprivileged users bypass protections, gain root privileges, and weaken container isolation.
Qualys researchers disclosed nine vulnerabilities, collectively tracked as CrackArmor, in the Linux kernel’s AppArmor module.
The flaws have existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, run code in the kernel, or cause denial-of-service conditions.
AppArmor is a Linux security module that protects the operating system and applications by enforcing strict behavior rules to block both known and unknown threats, including zero-day attacks. It adds mandatory access control to the traditional Unix discretionary access model and has been part of the Linux kernel since version 2.6.36, with development supported by Canonical since 2009.
Because AppArmor is widely deployed in enterprise systems, cloud platforms, containers, and IoT environments, the issue potentially affects more than 12.6 million Linux systems.
Researchers developed proof-of-concept exploits but did not release them publicly to reduce risk.
No CVE identifiers have been assigned yet, but security teams are strongly advised to patch the Linux kernel immediately, as updates are the only reliable way to mitigate the risk.
The CrackArmor flaws expose a confused-deputy issue that lets unprivileged users manipulate AppArmor security profiles, bypass namespace limits, and run code in the Linux kernel. Attackers could escalate privileges to root through interactions with tools like Sudo and Postfix, trigger denial-of-service attacks, and bypass Kernel Address Space Layout Randomization protections. The findings highlight serious weaknesses in default security assumptions and could impact system confidentiality, integrity, and availability.
“This “CrackArmor” advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel.” reads the report. “These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads. “
The CrackArmor flaws in AppArmor let unprivileged users trigger denial-of-service by loading “deny-all” profiles or removing nested subprofiles, causing kernel panics and forced reboots. With AppArmor enabled by default on Ubuntu, Debian, and SUSE, cloud, Kubernetes, and edge systems are at risk. These vulnerabilities could be exploited by state-sponsored hackers, making immediate kernel patching and monitoring critical.
The CrackArmor vulnerabilities exploit a design flaw in AppArmor, the Linux Mandatory Access Control framework included in the kernel since 2.6.36 and enabled by default in Ubuntu, Debian, SUSE, and derivatives. Unprivileged users can trick privileged processes like Sudo or Postfix into modifying AppArmor profiles via pseudo-files, bypassing namespace restrictions, executing arbitrary kernel code, collapsing container isolation, and escalating to root. The flaws impact all kernel versions since v4.11. Organizations must patch immediately, scan for exposure using Qualys QIDs, and monitor /sys/kernel/security/apparmor/ for profile changes. These flaws target the zero-trust foundations of enterprise, cloud, Kubernetes, and edge deployments, making rapid remediation critical.
“This is comparable to an intruder convincing a building manager with master keys to open restricted vaults that the intruder cannot enter alone. In this scenario, attackers leverage trusted tools like Sudo or Postfix to modify protected AppArmor profiles via pseudo-files (/sys/kernel/security/apparmor/.load, .replace).” continues the report. “This bypasses user-namespace restrictions and allows for arbitrary code execution within the kernel, collapsing container isolation and enabling local privilege escalation (LPE) to root.”
Organizations should patch immediately, use Qualys QIDs to scan for exposed systems, and monitor /sys/kernel/security/apparmor/ for unauthorized profile changes. Check vendor advisories for affected versions and fixes to secure enterprise, cloud, Kubernetes, and edge deployments.
“Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
如有侵权请联系:admin#unsafe.sh