Two high-priority vulnerabilities have been discovered in the OverlayFS module of Ubuntu Linux, impacting approximately 40% of Ubuntu cloud workloads.
According to security experts at Wiz Research, the vulnerabilities, designated as CVE-2023-2640 and CVE-2023-32629, were discovered in the widely used Linux filesystem, OverlayFS, which gained popularity with the widespread adoption of container technology due to its ability to deploy dynamic filesystems based on pre-built images.
The vulnerabilities allow attackers to escalate privileges to the root level on affected systems. OverlayFS presents an attractive attack surface due to its history of logical vulnerabilities that have been easily exploitable. Of particular concern is that the exploits used for previous OverlayFS vulnerabilities can be applied without modifying these newly discovered flaws.
“These vulnerabilities are the result of a number of separate change incidents that happened over the span of years,” warned John A. Smith, CEO at Conversant Group.
“As a result, there are proof of concept (POC) hacks publicly available for them—meaning, they pose a high risk of exploitation and should be patched immediately.”
The issues are specific to Ubuntu Linux because the distribution introduced changes to the OverlayFS module in 2018, which initially did not pose any risks. However, subsequent security patches in the Linux kernel did not fully address Ubuntu’s modifications, leading to additional vulnerable flows that persisted unnoticed until now.
“Subtle changes in the Linux kernel introduced by Ubuntu many years ago have unforeseen implications,” explained Wiz CTO and co-founder, Ami Luttwak.
“We found two privilege escalation vulnerabilities caused by these changes, and who knows how many other vulnerabilities are still lurking in the shadows of the Linux kernel spaghetti?”
Ubuntu has responded promptly to the discovery and released fixed versions for impacted kernels. Users are urged to update their kernels to the latest versions to mitigate the risk. Additionally, a workaround is available for users who cannot immediately update their systems: restricting user namespace usage to users with limited privileges can help prevent potential exploitation.
“The vulnerabilities shown here do highlight how the relationships between Linux kernel development and individual distributions adding their own special tweaks can have unforeseen consequences,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“Fortunately, while these vulnerabilities would be easy to exploit, they require local user access, which should limit the attack surface. Remote exploitation seems very unlikely.”
The responsible disclosure process began in June 2023 when Wiz Research reported the vulnerabilities to Ubuntu. The Linux distribution confirmed the issues and worked on addressing them, leading to the release of patches by the end of July 2023.
Editorial image credit: sdx15 / Shutterstock.com