- Introduced recently in Ubuntu’s kernel, specifically the OverlayFS module, two vulnerabilities can allow threat actors to escalate privileges.
- The OverlayFS module is highly popular for container docking.
- The two vulnerabilities, CVE-2023-2640 and CVE-2023-32629, scored 7.8 and 5.4 out of 10 on the CVSS v3 scale.
As many as 40% of Ubuntu cloud workstations are vulnerable to a pair of new vulnerabilities. This week, cybersecurity company Wiz disclosed two vulnerabilities, CVE-2023-2640 and CVE-2023-32629, which it discovered in June 2023.
Introduced recently in Ubuntu’s kernel, specifically the OverlayFS module, the two vulnerabilities may allow threat actors to escalate privileges. The vulnerabilities exist because of Ubuntu’s modifications to the Linux kernel in 2018. However, because of a security bug identified and fixed in the Linux kernel in 2020, an additional vulnerable flow didn’t make the cut due to Ubuntu’s previous modifications, leading to the latest two vulnerabilities.
“OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit,†Wiz explained. “This makes the newly discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.â€
The module itself is highly popular for container docking as it allows the union of an upper directory tree with a lower directory tree and merges them, regardless of the two belonging to different file systems. The module also imparts modification and file removal capabilities.
Wiz named the pair of vulnerabilities “GameOver(lay)†and termed them as “easy-to-exploit.†CVE-2023-2640 scored 7.8 out of 10 on the CVSS v3 scale, while CVE-2023-32629 scored 5.4, placing them in the high- and medium-severity categories, respectively.
Exploiting the vulnerabilities can allow an attacker to gain a specific root user-level privilege called ‘file capabilities,’ which grants elevated privileges to executables while they’re executed. “It’s possible to craft an executable file with “scoped†file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped†capabilities, granting anyone who executes it root-like privileges,†Wiz explained.
GameOver(lay) Vulnerabilities Explained
See More: MOVEit Vulnerability Impact: Over 500 Organizations, 34M+ Individuals and Counting
Wiz identified the two flaws in June and reported them to Ubuntu on June 23, 2023. Ubuntu confirmed with Wiz about the existence of the two bugs the next day. As of July 25, 2023, patches are available to download.
The following Ubuntu versions are impacted by CVE-2023-2640 and CVE-2023-32629:
- Ubuntu 23.04 (Lunar Lobster) — v6.2.0
- Ubuntu 22.10 (Kinetic Kudu) — v5.19.0
- Ubuntu 22.04 LTS (Jammy Jellyfish) — v5.19.0, v6.2.0
The following Ubuntu versions are impacted by CVE-2023-32629 only:
- Ubuntu 20.04 LTS (Focal Fossa) — v5.4.0
- Ubuntu 18.04 LTS (Bionic Beaver) — v5.4.0
Wiz concluded, “The vulnerabilities we discovered also highlight the risks involved in modifying complex open-source projects. Initially, Ubuntu’s kernel modifications seemed harmless. After subsequent changes made to the Linux kernel, which would naturally seem reasonable to any developer, vulnerabilities were inadvertently introduced.â€
To patch your Ubuntu instance, refer to Ubuntu’s security update noticeOpens a new window .
How can administrators stay on top of vulnerabilities? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Image source: Shutterstock