Security researchers from Qualys revealed three ways to bypass the use of access to the space of the user identifiers (user namespace). This issue arose after the release of version 23.10 in Ubuntu, where an additional insulation layer was introduced to prevent unauthorized users from creating user namespaces.
Namespace spaces in the Linux core allow different processes to have separate resources, isolating them from each other. The “user namespace” feature allows an unprivileged process within an isolated container to access kernel subsystems that typically require elevated privileges.
Initially, many kernel subsystems were designed to be accessed only by the root user. However, with the introduction of the “user namespace”, vulnerabilities in these subsystems could now potentially be exploited by unprivileged users, leading to privileged access to the entire system.
Ubuntu implemented a hybrid scheme to provide an additional layer of protection, allowing certain programs to create a User Namespace based on Apparmor profiles with specific rules. This approach aimed to reduce the risk of vulnerabilities in kernel subsystems while maintaining sandboxing capabilities for selected applications.
The creation of a “User Namespace” with privileged access inside a container could be exploited if system updates are not installed and a known kernel vulnerability exists. Three methods of bypassing the access mechanism were discovered, enabling a local user to create a User Namespace with administrator privileges inside:
- The attacker can utilize the AA-EXEC utility, included in the basic supply, to apply Apparmor profiles that grant access to User Namespace. This method allows the attacker to apply profiles from programs like Chrome, Flatpak, and Trinity to gain privileged access.