Full Report
The overlay file system (OverlayFS) allows a user to merge file systems together to create a single unified file system. There are different types of mounts with OverlayFS: lower, upper and overlay in this order. The overlay is the overarching item of the setup. If you write to the lower directories, it will be copied to the upper ones. If you write to the upper, it doesn't go to the lower though. This is a design feature for isolation, it appears. If changes are made through the overlay, they are only reflected in the upper directory. Recap: lower->overlay, upperoverlay and lower->upper. When a kernel copies a file from the overlay file system to the upper directory, there is no validation on the owner of this file within the current namespace. Using this oversight, a lower directory could smuggle a SETUID binary into the upper directory using OverlayFS. How could this be exploited? Let's are below: Create a FUSE file system. This will allow us to create a binary owned by root with the setuid bit on it. Create a new namespace. Create a new OverlayFS mount with the lower directory within the FUSE FS from the previous step. Trigger a copy of our SETUID binary from the overlay FS to the upper directory. This can be done by simply creating the binary. We now have a setuid binary under the upper directory, even though this was from the OverlayFS setup. Exit the user namespace from step 2 to execute the SETUID binary! The vulnerability allows for a privilege escalation to root by not handling namespaces correctly. This is why defense-in-depth with limiting syscalls and other things is important. Good writeup!
Analysis Summary
# Vulnerability: Linux Kernel OverlayFS Local Privilege Escalation (CVE-2023-0386)
## CVE Details
- CVE ID: CVE-2023-0386
- CVSS Score: N/A (Severity described as "trivial to exploit" and leading to root escalation)
- CWE: CWE-269 (Improper Privilege Management) - Inferred based on privilege escalation, but not explicitly listed.
## Affected Systems
- Products: Linux Kernel
- Versions: Kernels prior to version 6.2 (A system is likely vulnerable if it has a kernel version lower than 6.2).
- Configurations: Affects Linux-based systems utilizing OverlayFS, including those running containers that leverage OverlayFS.
## Vulnerability Description
The vulnerability resides in the Linux kernel's OverlayFS implementation when copying files from the lower directory to the upper directory within an OverlayFS mount. Specifically, when a file is copied (e.g., by creating the file via a malicious actor or triggering an internal OverlayFS operation), the kernel fails to validate the ownership of the file within the current user namespace context.
An unprivileged attacker can exploit this by:
1. Creating a FUSE file system owned by `root` containing a specially crafted **SETUID binary**.
2. Creating a new user namespace (`CLONE_NEWUSER`).
3. Creating an OverlayFS mount where the FUSE file system acts as the **lower directory**.
4. Triggering the copy of the SETUID binary from the lower (FUSE) directory into the **upper directory** of the OverlayFS mount. Due to the lack of validation, the resulting file in the upper directory retains the root ownership and SUID bit set by the FUSE volume.
5. Exiting the user namespace to execute the newly created SUID binary, resulting in privilege escalation to `root`.
## Exploitation
- Status: PoC available (Appeared publicly on GitHub on May 4, 2023). No observed exploitation in the wild as of May 10, 2023.
- Complexity: Low ("trivial to exploit").
- Attack Vector: Local (Requires an unprivileged user to run code locally, potentially from within a confined environment like a container).
## Impact
- Confidentiality: High (Gaining root access allows unauthorized access to all system data).
- Integrity: High (Gaining root access allows for complete system modification).
- Availability: High (Gaining root access allows for system destruction or denial of service).
## Remediation
### Patches
- The vulnerability was patched in the Linux source tree on January 27, 2023.
- Users must update their Linux kernel to a patched version (e.g., **6.2 or later** is considered safe, though specific distributions release fixes in earlier versions).
- Check specific distribution advisories for precise patched kernel releases (Ubuntu, Debian, Amazon Linux, Red Hat have released updates).
### Workarounds
- Defense-in-depth security hardening is recommended, such as limiting available syscalls or applying other restrictive security measures, though patching the kernel is the definitive fix.
- Note: While exploitation *inside* a container is possible, direct container escape to the host is not explicitly confirmed by the source material.
## Detection
- **Indicators of Compromise (IoCs):** Unusual file creation events involving OverlayFS where ownership or permissions (specifically the SUID bit) do not align with standard user operations within the upper layer.
- **Detection Methods and Tools:** Monitor for system calls related to mounting file systems, particularly OverlayFS creation combined with namespace manipulation (`clone()` or `unshare()` with `CLONE_NEWUSER`). Host-based security tools should monitor for the creation of unexpected SUID binaries in directories normally governed by container storage mechanisms.
## References
- Vendor Advisories: [Ubuntu Security Notice](https://ubuntu.com/security/CVE-2023-0386), [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2023-0386), [Red Hat Security Advisories](https://access.redhat.com/security/cve/cve-2023-0386), [Amazon Linux Security Center](https://explore.alas.aws.amazon.com/CVE-2023-0386.html)
- Relevant Links:
- Linux Kernel Commit: hXXps://github.com/torvalds/linux/commit/4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
- PoC Repository: hXXps://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/overlayfs-cve-2023-0386