![T-Mobile says it didn't compromise its values to get FCC to approve fiber deal [UPDATED]](https://m-cdn.phonearena.com/images/article/169088-two/T-Mobile-says-it-didnt-compromise-its-values-to-get-FCC-to-approve-fiber-deal-UPDATED.jpg?#)
![Nomad Goods Launches 15% Sitewide Sale for 48 Hours Only [Deal]](https://www.iclarified.com/images/news/96899/96899/96899-640.jpg)
![Apple Watch Series 10 Prototype with Mystery Sensor Surfaces [Images]](https://www.iclarified.com/images/news/96892/96892/96892-640.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![Is this a suitable approach to architect a flutter app? [closed]](https://i.sstatic.net/4hMHGb1L.png)
![From broke musician to working dev. How college drop-out Ryan Furrer taught himself to code [Podcast #166]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743189826063/2080cde4-6fc0-46fb-b98d-b3d59841e8c4.png?#)
New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities
Three critical bypasses in Ubuntu Linux’s unprivileged user namespace restrictions allow local attackers to escalate privileges and exploit kernel vulnerabilities. These bypasses affect Ubuntu 23.10 and 24.04 LTS systems, where AppArmor-based protections were introduced to limit namespace misuse. While not granting full system control independently, they become potent when combined with kernel flaws requiring administrative […] The post New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities appeared first on Cyber Security News.
Three critical bypasses in Ubuntu Linux’s unprivileged user namespace restrictions allow local attackers to escalate privileges and exploit kernel vulnerabilities.
These bypasses affect Ubuntu 23.10 and 24.04 LTS systems, where AppArmor-based protections were introduced to limit namespace misuse.
While not granting full system control independently, they become potent when combined with kernel flaws requiring administrative privileges like CAP_SYS_ADMIN or CAP_NET_ADMIN.
Ubuntu User Namespace Bypass Techniques
Qualys Threat Research Unit (TRU) advisory reads that Ubuntu’s user namespace restrictions, designed to prevent unprivileged users from gaining administrative capabilities within isolated environments, were circumvented through three methods:
Bypass via aa-exec
The aa-exec tool, installed by default, allows switching to permissive AppArmor profiles (e.g., trinity, chrome, or flatpak). Attackers can exploit this to execute the unshare command and create unrestricted namespaces:
This grants full capabilities within the namespace, bypassing Ubuntu’s restrictions.
Bypass via Busybox
The default Busybox shell’s AppArmor profile permits unrestricted namespace creation. Attackers spawn a shell via Busybox and execute:
This method is effective on both Ubuntu Server and Desktop installations.
Bypass via LD_PRELOAD
By injecting a malicious shared library into trusted processes like Nautilus (GNOME’s file manager), attackers exploit permissive profiles:
The library spawns a shell within the process, enabling privileged namespace creation.
The vulnerabilities primarily impact:
- Ubuntu 24.04 LTS: Restrictions enabled by default.
- Ubuntu 23.10: Restrictions exist but require manual activation.
User namespaces, vital for containerization and sandboxing, expose kernel attack surfaces when misconfigured.
Researchers emphasized that while these bypasses alone don’t compromise systems, they lower the barrier for exploiting kernel vulnerabilities like memory corruption or race conditions.
Canonical acknowledged the limitations but classified them as defense-in-depth weaknesses rather than critical vulnerabilities. Mitigations include:
Kernel Parameter Adjustment:
Enable kernel.apparmor_restrict_unprivileged_unconfined=1 to block aa-exec abuse:
Profile Hardening:
Disable broad AppArmor profiles for Busybox and Nautilus:
Stricter bwrap Profiles:
Implement granular namespace controls for applications relying on bwrap (e.g., Flatpak).
Administrators can audit profiles using aa-status and apply updates via standard Ubuntu channels, though fixes won’t be expedited as emergency patches.
Qualys offers its TruRisk Eliminate platform to automate defenses, providing pre-tested scripts to enforce kernel parameters and disable vulnerable profiles, integration with Qualys agents for centralized mitigation deployment and risk isolation for critical assets without patching.
This discovery underscores the challenges of balancing usability and security in Linux distributions. While Ubuntu’s proactive measures set industry benchmarks, the bypasses highlight how defense-in-depth mechanisms can inadvertently introduce complexity.
As kernel-level exploits rise, solutions like TruRisk Eliminate and rapid hardening practices are critical for enterprises prioritizing uptime alongside security.
Qualys and Canonical continue collaborating on long-term AppArmor improvements, with updates expected in future Ubuntu releases. For now, administrators must manually apply mitigations to safeguard vulnerable systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities appeared first on Cyber Security News.
