Full Report
Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.
Analysis Summary
# Vulnerability: GameOver(lay) Privilege Escalation in Ubuntu OverlayFS
## CVE Details
- CVE ID: CVE-2023-2640, CVE-2023-32629
- CVSS Score: N/A (Severity not explicitly provided, but implications suggest High based on Root execution)
- CWE: CWE-269: Improper Privilege Management (Inferred, related to file capability misuse)
## Affected Systems
- Products: Ubuntu Linux Kernel (specifically the OverlayFS module)
- Versions:
- Ubuntu 23.04 (Lunar Lobster): Kernel 6.2.0
- Ubuntu 22.10 (Kinetic Kudu): Kernel 5.19.0
- Ubuntu 22.04 LTS (Jammy Jellyfish): Kernels 5.19.0 and 6.2.0
- Ubuntu 20.04 LTS (Focal Fossa): Kernel 5.4.0
- Ubuntu 18.04 LTS (Bionic Beaver): Kernel 5.4.0
- Configurations: Vulnerable when utilizing OverlayFS, particularly when filesystem metadata changes trigger specific copy operations (related to `metacopy=on`). Vulnerabilities stem from Ubuntu-specific modifications to the OverlayFS module made in 2018.
## Vulnerability Description
These vulnerabilities reside within the Ubuntu-specific modifications to the Linux OverlayFS module. They represent logical flaws stemming from how file capabilities (elevated privileges assigned to executables) are handled during file operations, specifically when merging layers in an OverlayFS mount with `metacopy=on`.
The flaw allows a low-privileged user to craft an executable file with "scoped" file capabilities in the lower directory. By manipulating metadata changes (e.g., via a `touch` on the mount point) while `metacopy=on` is active, the kernel is tricked into copying the executable file—along with its capability metadata—into the upper directory using the function `ovl_do_setxattr` via `ovl_copy_up_meta_inode_data`. This copying process results in an executable being created in the upper layer that possesses "unscoped" file capabilities, effectively yielding root-level privileges upon execution, bypassing standard Linux security restrictions. This mechanism is similar to the exploit flow of CVE-2021-3493.
## Exploitation
- Status: PoC available (Implied, as exploits for past similar vulnerabilities work without modification)
- Complexity: Low (Exploits for similar past vulnerabilities work without changes)
- Attack Vector: Local (Requires execution access, often achieved through container escape or local user interaction)
## Impact
- Confidentiality: High (Root access allows access to all system data)
- Integrity: High (Root access allows modification of any file or system setting)
- Availability: High (Root access allows system denial of service)
## Remediation
### Patches
- Ubuntu released patches on July 24th, 2023.
- **Action:** Users must update their Linux kernels to the version provided by the latest security updates released by Ubuntu for their specific distribution release.
### Workarounds
- No specific workarounds were detailed, but the vulnerability is linked to the `metacopy` flag usage in OverlayFS potentially. The primary mitigation is applying the vendor patch.
## Detection
- **Indicators of compromise:** Observation of unusual file capability assignments on newly created binaries within user-writable overlay mount points or artifacts indicative of privilege escalation techniques previously used for CVE-2021-3493.
- **Detection methods and tools:** Monitoring kernel system calls related to file/metadata copying (`ovl_copy_up_meta_inode_data`) under specific OverlayFS mount options could be used, though direct kernel auditing is complex. Utilizing security platforms to check for compromised system files or unexpected privilege escalation events is recommended.
## References
- Vendor Advisory (CVE-2023-32629): hxxps://ubuntu.com/security/CVE-2023-32629
- Vendor Advisory (CVE-2023-2640): hxxps://ubuntu.com/security/CVE-2023-2640
- Wiz Customer Check: hxxps://app.wiz.io/graph#~(query~(relationships~(~(type~(~(type~'CAUSES))~with~(relationships~(~(type~(~(type~'ALERTED_ON))~with~(as~'scoped_entity~relationships~(~(optional~true~type~(~(reverse~true~type~'CONTAINS))~with~(as~'optional_scoped_group~select~true~type~(~'COMPUTE_INSTANCE_GROUP))))~select~true~type~(~'VIRTUAL_MACHINE~'CONTAINER_IMAGE~'SERVERLESS))))~select~true~type~(~'SECURITY_TOOL_FINDING))))~type~(~'VULNERABILITY)~where~(name~(EQUALS~(~'CVE-2023-2640~'CVE-2023-32629))))))