[tomek@vz]

A kad smo vec kod toga...

Citiraj:

New Ubuntu Linux security bypasses require manual mitigations

Citiraj:

1. Bypass via aa-exec: Users can exploit the aa-exec tool, which allows running programs under specific AppArmor profiles. Some of these profiles - like trinity, chrome, or flatpak - are configured to allow creating user namespaces with full capabilities. By using the unshare command through aa-exec under one of these permissive profiles, an unprivileged user can bypass the namespace restrictions and increase privileges within a namespace.
2. Bypass via busybox: The busybox shell, installed by default on both Ubuntu Server and Desktop, is associated with an AppArmor profile that also permits unrestricted user namespace creation. An attacker can launch a shell via busybox and use it to execute unshare, successfully creating a user namespace with full administrative capabilities.
3. Bypass via LD_PRELOAD: This technique leverages the dynamic linker’s LD_PRELOAD environment variable to inject a custom shared library into a trusted process. By injecting a shell into a program like Nautilus - which has a permissive AppArmor profile - an attacker can launch a privileged namespace from within that process, bypassing the intended restrictions.

Citiraj:

In a bulletin published on the official discussion forum (Ubuntu Discourse), the company shared the following hardening steps that administrators should consider:

• Enable kernel.apparmor_restrict_unprivileged_unconfined=1 to block aa-exec abuse. (not enabled by default)
• Disable broad AppArmor profiles for busybox and Nautilus, which allow namespace creation.
• Optionally apply a stricter bwrap AppArmor profile for applications like Nautilus that rely on user namespaces.
• Use aa-status to identify and disable other risky profiles.

-> Link