Pierluigi Paganini July 27, 2023

Wiz researchers discovered two Linux vulnerabilities in the Ubuntu kernel that can allow an unprivileged local user to gain elevated privileges.

Wiz Research discovered two privilege escalation vulnerabilities, tracked as CVE-2023-2640 and CVE-2023-32629, in the OverlayFS module in the Linux distro Ubuntu. According to the researchers, the flaws impact 40% of the users of the popular Linux distribution. The researchers pointed out that impacted Ubuntu versions are prevalent in the cloud because they are the default operating systems for multiple CSPs.

OverlayFS is a popular Linux filesystem that allows the deployment of dynamic filesystems based on pre-built images.

Several changes to the OverlayFS module were introduced by Ubuntu in 2018. Wiz researchers noticed that modifications to the module introduced by the Linux kernel project in 2019 and 2022 conflicted with Ubuntu’s earlier changes.

The adoption of the new code by Ubuntu introduced CVE-2023-32629 (2019) and CVE-2023-2640 (2022) into the OS.

“Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module. Weaponized exploits for these vulnerabilities are already publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes.” reads the advisory published by Wiz.

The vulnerability CVE-2023-2640 (CVSS v3 score: 7.8) resides in the Ubuntu Linux kernel. It can allow an unprivileged user to set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks. It can allow a local attacker to gain elevated privileges.

The vulnerability CVE-2023-32629 (CVSS v3 score: 5.4) is a local privilege escalation issue that resides in kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

Ubuntu has published a security advisory about eight vulnerabilities, including the above issues, that were addressed with the release of the latest version of the distro Linux kernel.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)