The Qualys Threat Research Unit has announced its discovery of “CrackArmor,” a set of nine vulnerabilities within AppArmor, a widely used security module in the Linux kernel. These flaws have left over 12 million enterprise systems running Ubuntu, Debian, and SUSE distributions exposed since 2017, enabling local attackers to gain full root access, execute container breakouts, and cause system-wide crashes.
The CrackArmor vulnerabilities exploit a “confused deputy” flaw, which manipulates a trusted, higher-privilege program into misusing its authority. Attackers can trick system processes into performing malicious actions on their behalf, effectively bypassing security controls to gain unauthorized access or escalate privileges without needing administrative credentials.
The discovery highlights a significant risk across numerous sectors. Industries most impacted include cloud computing, banking and finance, manufacturing, healthcare, and government.
“These discoveries highlight critical gaps in how we rely on default security assumptions,” said Dilip Bachwani, Chief Technology Officer at Qualys. “CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn’t enough; we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure.”
Qualys researchers have determined that the only reliable method to mitigate the CrackArmor vulnerabilities is through immediate kernel patching. Organizations are urged to apply the necessary security updates to protect their systems from potential exploitation.
In keeping with the responsible disclosure process, the Qualys TRU team coordinated and communicated with upstream maintainers for several months to ensure that fixes were robust and stable across all Linux distributions prior to public release. Qualys continues to work with the community to address these critical security issues.
More information can be found at the Qualys blog post, here.
