OverlayFS Vulnerability Allows Ubuntu Privilege Escalation

In a recent report, vulnerabilities specific to Ubuntu patches in the implementation of the Overlayfs module for Linux were discovered. These vulnerabilities allow attackers to elevate their privileges within the system. Researchers estimate that these vulnerabilities can be exploited in approximately 40% of Ubuntu installations. Fortunately, updates addressing these vulnerabilities were released on July 26 for Ubuntu versions 23.04, 22.04, 20.04, 18.04, 16.04, and 14.04.

One of the vulnerabilities, known as cve-2023-2640, was introduced in 2018 through changes made to the Ubuntu-specific Overlayfs module. These changes allowed the installation and deletion of individual extended attributes of files without proper access rights checks. However, the initial implementation only affected the Trusted.OVERLAYFS.* attributes, posing no immediate threat.

In 2022, a patch was added to the main implementation of Overlayfs in the Linux kernel, resulting in conflicting changes with the specific corrections made for Ubuntu. This patch disabled the access rights check for all extended attributes, not just Trusted.Overlayfs. By manipulating the user identifiers (User Namespace), an unprivileged user could exploit the vulnerabilities and modify extended attributes for files in the Overlayfs, causing them to be stored in the higher layer of Overlayfs.

The second vulnerability, known as cve-2023-32629, was also discovered to have improper authority inspections. In the OVL_copy_up_Meta_inode_Data function, a procedure call to OVL_DO_SETXATTR was mistakenly used instead of vfs_setxattr, affecting the access of internal extended attributes of the overlay layer. Similar to the first vulnerability, the original correction made for Ubuntu did not introduce the vulnerability. The issue arose after changes were made to the main implementation of Overlayfs in 2019.

Both vulnerabilities can be exploited using existing working exploits that have already been disclosed in the public domain. To successfully execute an attack, the system must allow unprivileged users to mount sections of Overlayfs. As a temporary workaround, users can prevent the creation of user identifiers by disabling the ability to create users with specific names.

For more information, please refer to the

/Reports, release notes, official announcements.