Two easy-to-exploit privilege escalation vulnerabilities that affect 40% of Ubuntu workloads were found in the OverlayFS module in Ubuntu.
In a blog post July 26, Wiz researchers said the Ubuntu OverlayFS module is a widely used Linux filesystem that became very popular with the rise of containers as its features allow for the deployment of dynamic filesystems based on pre-built images.
The Wiz researchers said OverlayFS serves as an attractive attack surface because it has a history of numerous logical vulnerabilities that are easy to exploit. This makes these newly discovered flaws especially risky given that the exploits for the past OverlayFS bugs work out-of-the-box without any changes.
Dubbed #GameOver(lay), Ubuntu has released official security bulletins for the two flaws: CVE-2023-32629 and CVE-2023-2640. Both were rated by Ubuntu as high severity bugs at 7.8.
Wiz customers can check their impacted resources in the Wiz portal. Ubuntu fixed the vulnerabilities on July 24 and said users should update their kernels.
“The vulnerabilities we discovered also highlight the risks involved in modifying complex open-source projects,” wrote the Wiz researchers. “Initially, Ubuntu's kernel modifications seemed harmless. After subsequent changes made to the Linux kernel, which would naturally seem reasonable to any developer, vulnerabilities were inadvertently introduced.”
These vulnerabilities are the result of a number of separate change incidents that happened over the span of years, explained John Anthony Smith, chief executive officer at the Conversant Group. Smith said as a result, there are proof of concept (POC) hacks publicly available for them — meaning they pose a high risk of exploitation and security teams should patch them immediately.
“Together, these CVEs essentially grant root-level capabilities to a threat actor that successfully capitalizes on them,” Smith said. “Privilege escalation flaws are certainly not uncommon, so it’s essential that security professionals keep a very close eye on threat feeds to identify pressing out-of-band patching concerns like these and attend to them, particularly when a POC exists.
Mike Parkin, senior technical engineer at Vulcan Cyber, added that the vulnerabilities shown here highlight how the relationships between Linux kernel development and individual distributions adding their own special tweaks having unforeseen consequences.
“Fortunately, while these vulnerabilities would be easy to exploit, they require local user access, which should limit the attack surface,” Parkin explained. “Remote exploitation seems very unlikely. Ubuntu has released patches to address the issue, and deployments that utilize the affected OverlayFS module should update their kernel as soon as is practical.”
