New Ubuntu Linux Security Bypasses Require Manual Mitigations (bleepingcomputer.com)
(Saturday March 29, 2025 @12:34PM (EditorDavid)
from the all-bugs-are-shallow dept.)
- Reference: 0176854237
- News link: https://it.slashdot.org/story/25/03/29/0555241/new-ubuntu-linux-security-bypasses-require-manual-mitigations
- Source link: https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/
An anonymous reader shared [1]this report from BleepingComputer :
> [2]Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...
>
> Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by [3]vulnerability researcher Roddux , who published the details on March 21.
>
> Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical [4]shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.
[1] https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/
[2] http://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt
[3] http://x.com/roddux/status/1903081918578532391
[4] https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
> [2]Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...
>
> Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by [3]vulnerability researcher Roddux , who published the details on March 21.
>
> Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical [4]shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.
[1] https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/
[2] http://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt
[3] http://x.com/roddux/status/1903081918578532391
[4] https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
More like corporate Windoze (Score:2)
Adding extra "security" layers is just stupid: It breaks backwards functionality, and makes it very hard to mae code run on a lot of distros, because each add their security fad. Furthermore, with usernamespace restrictions the IT world have been forced into running containers as root via Docker instead of just running them as applications without privileges in the first place. Trust the Linux kernel's security or at least the ability to quickly fix issues, instead of adding non-compatible layers for each
Re: More like corporate Windoze (Score:2)
Keep doubling down on your arrogance fueled ignorance.