The most common mandatory access control (MAC) system is called AppArmor, and it is the default of major distributions (Ubuntu, Debian, and SUSE). The attack surface is enormous that way. However, whichever data centers your servers are on-premise, Kubernetes, or Linux cloud infrastructure, they all become vulnerable in the event that AppArmor is turned on.
A technical overview of the functionality of CrackArmor, why it was successfully undetected over nine years and what actions you can undertake as an immediate measure to secure your systems are discussed below.
What is the CrackArmor AppArmor Vulnerability?
CrackArmor does not undermine the basic security of AppArmor. Rather it plays off vulnerabilities in its implementation as a Linux Security Module (LSM). These bugs can be traced back to Linux kernel version 4.11 that was released in 2017. The problem lies in the very fundamentals of attack of a confused deputy.
A confused deputy exploit is when a user with low privileges tempts a privileged process to do something that it is not supposed to. CrackArmor achieves this by letting the attacker write to the pseudo files of AppArmor by trusted utilities- mostly sudo and postfix. Those are privileged utilities, thus they do not go through the normal user-namespace restrictions and instead allow the attacker to execute arbitrary code inside the kernel.
The Impact: Container Breakout and Linux Privilege Escalation
The severity of CrackArmor is excessive. Its bugs provide straight root level local privilege escalation (LPE). A threat actor, having even a small (non-privileged) access to your server, either by a web application violation or a weak SSS password, can immediately become the complete owner of the host.
Qualys records a number of attack paths:
- Root Privilege Escalation. Attackers can adjust the environment variables and make sudo execute Postfix binaries as root to have a complete root shell. They also have the ability to write to /etc/Passwd in the kernel directly and this is a use-after-free bug.
- Containerescaping and Namespaceescaping. Unprivileged users are able to break out of Docker isolation and control the host by creating entire usernamespaces.
- Denial of Service (DoS). Attackers are able to instigate a stack overflow which causes the kernel to crash and hard reboot resulting in significant downtime.
- Policy Bypass. Critical logging services can be disabled silently or all the traffic can be blocked by threat actors, and your own engineers can be locked out.
The No CVE: Danger and Why Firewalls Fail.
At the initial release of CrackArmor, there were no official CVE identifiers since the upstream kernel group is slow to allocate them. Nevertheless, the details of exploits are all recorded. Delaying the application of an official CVE to patch merely heightens the chances of data breach.
CrackArmor will not be stopped by standard cloud firewalls or even simple network perimeter controls. This is a local privilege escalation flaw, i.e. the attack occurs within the host OS. A firewall is not able to search malicious code that is manipulating AppArmor profiles at the kernel space.
The Protection: EPP, SIEM, and Linux Server Security
Continuous and proactive OS-level protection is what you require to survive zero-day and deep-kernel attacks like the CrackArmor.
The MaxProtect is a managed security service provider specifically designed to support Linux Managed Security Service Provider (MSSP). The engineers will secure your infrastructure using a preventative, multi-layered approach:
Managed Patching and Vulnerability Auditing– CrackArmor is fast. We build, maintain, and deliver you the latest patches on your servers in a fast and safe way and within your scheduled maintenance.
Unlimited SIEM Surveillance– We gather and scan your logs 247. After becoming root, an attacker can hide profile changes in the directories like /sys/kernel/security/apparmor/ before they are noticed.
Endpoint Protection Platform (EPP) Our Linux agents detect and prevent unwarranted binaries and unusual execution behaviors directly on your servers and container hosts.
The very simple hosting services merely assure uptime. MaxProtect engineers strive to counter such threats as CrackArmor before it harms your business.
Need to secure your Linux infrastructure? It is easy to go into business. Select our pricing page, Start Protecting Now, choose the $100/server/month option, and arrange your onboarding.
To have us tested, ask us to perform a Free Vulnerability Audit first. We will also do a zero-credential external scan to map your threats to allow you to see the outcome with our engineers prior to deployment.
