Hacking

Two flaws in Linux Ubuntu affect 40% of Ubuntu users

Wiz researchers discovered two Linux vulnerabilities in the Ubuntu kernel that can allow an unprivileged local user to gain elevated privileges.

Wiz Research discovered two privilege escalation vulnerabilities, tracked as CVE-2023-2640 and CVE-2023-32629, in the OverlayFS module in the Linux distro Ubuntu. According to the researchers, the flaws impact 40% of the users of the popular Linux distribution. The researchers pointed out that impacted Ubuntu versions are prevalent in the cloud because they are the default operating systems for multiple CSPs.

OverlayFS is a popular Linux filesystem that allows the deployment of dynamic filesystems based on pre-built images.

Several changes to the OverlayFS module were introduced by Ubuntu in 2018. Wiz researchers noticed that modifications to the module introduced by the Linux kernel project in 2019 and 2022 conflicted with Ubuntu’s earlier changes.

The adoption of the new code by Ubuntu introduced CVE-2023-32629 (2019) and CVE-2023-2640 (2022) into the OS.

“Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module. Weaponized exploits for these vulnerabilities are already publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes.” reads the advisory published by Wiz.

The vulnerability CVE-2023-2640 (CVSS v3 score: 7.8) resides in the Ubuntu Linux kernel. It can allow an unprivileged user to set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks. It can allow a local attacker to gain elevated privileges.

The vulnerability CVE-2023-32629 (CVSS v3 score: 5.4) is a local privilege escalation issue that resides in kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

Ubuntu has published a security advisory about eight vulnerabilities, including the above issues, that were addressed with the release of the latest version of the distro Linux kernel.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

RedWing: The Android Banking Trojan You Can Rent on Telegram for Less Than a Coffee…

7 hours ago

U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and…

9 hours ago

CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code

CISA is using Anthropic's Mythos AI to scan federal code for vulnerabilities, aiming to find…

11 hours ago

Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets

Attackers are exploiting a critical Gitea flaw (CVE-2026-20896) that bypasses authentication with a single HTTP…

21 hours ago

Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)

Spain arrested a suspected CARR and Z-Pentest collaborator in an FBI-led probe for aiding pro-Russian…

23 hours ago

Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available

CERT/CC warns an unpatched backdoor in several Tenda routers lets attackers bypass login and gain…

1 day ago

This website uses cookies.