Two critical vulnerabilities in Ubuntu’s OverlayFS module are endangering numerous server systems. Administrators are advised to promptly update the kernel modules.
Security researchers from Wiz have discovered two easily exploitable vulnerabilities in a module of the Linux distribution Ubuntu, which facilitates the use of the OverlayFS filesystem. According to a blog post they published yesterday, these vulnerabilities allow unprivileged attackers to escalate their privileges on about 40% of all Ubuntu systems. “The affected Ubuntu versions are widely used in the cloud, serving as default operating systems for several CSPs,” the Wiz researchers warn.
Old exploits work without any modifications The vulnerabilities, registered as CVE-2023-32629 and CVE-2023-2640, are reportedly due to changes made by Ubuntu to the OverlayFS module in 2018, which were not considered critical at that time. “However, in 2019 and 2022, the Linux Kernel Project made its own changes to the module, which contradicted Ubuntu’s earlier modifications,” the researchers explain. The incorporation of this new source code by the Ubuntu developers subsequently led to the mentioned vulnerabilities, which only affect Ubuntu systems.
Moreover, the researchers state that there are already publicly available exploits that attackers can use to exploit these vulnerabilities. This is partly because old exploits for previous OverlayFS vulnerabilities work without any adjustments. In the past, OverlayFS has proven to be an attractive target for local privilege escalation due to numerous logical and easily exploitable vulnerabilities.
Patches are already available Canonical, the Ubuntu developer, also states in a security notice regarding both vulnerabilities that the OverlayFS implementation in the Ubuntu Linux kernel “does not properly conduct permission checks in certain situations,” enabling attackers to gain elevated rights. Patches are already available. It is now up to the respective administrators to update their kernel modules, for example, through a package manager. A reboot is required after the update for the changes to take effect.