Cloud security firm Wiz’s researchers have unearthed two readily exploitable privilege escalation vulnerabilities in Ubuntu’s OverlayFS module, potentially influencing 40% of Ubuntu cloud systems.
OverlayFS functions as a union filesystem enabling one filesystem to supersede another, thereby facilitating file modifications without altering the base. It lets users replicate files from the base to the superior layer and conduct operations, retaining metadata that should be impossible in Linux.
The Wiz team pinpointed an error in the Ubuntu-specific OverlayFS module, which permits unique executables to escalate privileges to ‘root’ on the impacted machine. The Ubuntu Kernel can be deceived into duplicating this file to an alternate location, granting anyone who runs it root-like powers. Wiz identified two flaws which, in tandem, the company characterizes as GameOver(lay).
This defect operates similarly to a Linux Kernel vulnerability (CVE-2021-3493) identified in 2021. Nonetheless, Ubuntu had previously adjusted its kernel in 2018 in a way that permitted later General kernel mitigations not to entirely eliminate the fundamental defect from Ubuntu’s OverlayFS module.
Ami Luttwak, co-founder and CTO at Wiz, explains, “The subtle amendments to the Linux kernel incorporated by Ubuntu years ago carry unanticipated consequences. We’ve uncovered two privilege escalation vulnerabilities triggered by these adjustments and it’s unclear how many other vulnerabilities remain concealed within the complexity of the Linux kernel?”
The Wiz team unveiled two vulnerabilities in the Ubuntu OverlayFS module: CVE-2023-2640 and CVE-2023-32629, collectively termed ‘GameOver(lay)’.
CVE-2023-2640 arises due to the Ubuntu OverlayFS module’s failure to transform file security capabilities before file duplication. Consequently, a non-privileged user can formulate a new directory structure and enter a new user namespace with admin-like abilities. They can subsequently mount an OverlayFS mount, ultimately generating a file with capabilities pertaining to the init user namespace, effectively heightening the user’s privileges to root.
The researchers declare, “Successful exploitation of CVE-2023-2640 results in creating a ‘capable’ file in the upperdir directory that bestows root-equivalent capabilities on anyone who executes it.”
CVE-2023-32629 is akin to CVE-2023-2640, but impacts slightly varied kernel versions, with exploitation stemming from a distinct code flow. The outcome is the same: the researchers state, “The file possesses capabilities applicable to the init user namespace, which effectively escalates the user’s privileges to root.”
OverlayFS has previously demonstrated vulnerabilities, including CVE-2016-1576, CVE-2021-3847, CVE-2021-3493, and CVE-2023-0386. The Wiz team observes that CVE-2021-3493 is so akin to one of the GameOver(lay) vulnerabilities that “its publicly available PoC can currently be used to exploit that vulnerability as is.”
On July 24, 2023, Ubuntu resolved the vulnerabilities, and users are strongly encouraged to update their kernels.
New York’s Wiz was launched in January 2020 by Ami Luttwak (CTO), Assaf Rappaport (CEO), Roy Reznik (VP R&D), and Yinon Costica (VP of product). In its most recent funding round (Series D, February 2023), it garnered $300 million, raising the total funding to $900 million, and giving the firm a valuation of $10 billion.
