CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel's OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights. Breakdown of CVE-2023-0386 Vulnerability CVE-2023-0386 was identified and patched in early 2023. The flaw arises when a user copies a file with elevated capabilities from a nosuid mount into another mount. According to the CISA alert, “Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found... in how a user copies a capable file from a nosuid mount into another mount.” The vulnerability was disclosed and patched by Miklos Szeredi, a well-known contributor to the Linux kernel. The specific commit that addressed the flaw (commit ID: 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3) was made on January 27, 2023. Szeredi noted the importance of rejecting copy-up operations when the user ID (UID) or group ID (GID) lacks proper mapping in the user namespace. This patch ensures consistency with POSIX ACLs, which fail operations when invalid UID/GID mappings are detected. Technical Insights The vulnerability exists in the OverlayFS subsystem, particularly in the function ovl_copy_up_one. In affected Linux kernel versions before 6.2-rc6, a lack of proper checks allows invalid UID/GID mappings to be exploited. According to the patch notes, if st_uid or st_gid does not have a valid mapping in the mounting user namespace, the copy-up operation should fail, mirroring the behavior of standard Linux tools like cp -a. A notable edge case was identified where cp-a might succeed even when a copy-up fails, due to a default fallback UID/GID of 65534, used when no valid mapping is found. This inconsistency could be abused by attackers unless the flaw is patched. CISA’s decision to include CVE-2023-0386 in its Known Exploited Vulnerabilities catalog confirms that threat actors are actively leveraging this flaw in cyberattacks. Privilege escalation vulnerabilities are particularly dangerous in multi-user environments, containers, and cloud-based workloads, where strict privilege boundaries are critical. Industry Response and NetApp Advisory Leading tech companies responded to the flaw, including NetApp, which issued its advisory (NTAP-20230420-0004) detailing the impact across various product lines. NetApp identified multiple products using vulnerable versions of the Linux kernel and confirmed that exploitation could result in data disclosure, data modification, or denial-of-service (DoS). Affected systems include: NetApp HCI Baseboard Management Controllers (H300S, H500S, H700S, H410S, H410C) Other products incorporating Linux kernel versions before 6.2-rc6 NetApp published a full list of impacted and unaffected products in its 2023 advisory, confirming that software updates will be made available through its support portal. As of the latest update, there are no available workarounds, suggesting the need for direct patching. Mitigations and Recommendations System administrators and security professionals are urged to: Update to Linux kernel 6.2-rc6 or later to ensure the patch for CVE-2023-0386 is in place. Monitor systems for unusual privilege elevation behavior, especially in containerized or multi-user environments. The exploit's technical complexity is relatively low, requiring local access but no user interaction, and has been assigned a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high potential for damage.