GameOverlayFs
CVE-2023-2640 & CVE-2023-32629
Theory
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018.
These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. Linux has a feature called "file capabilities" that grants elevated privileges to executables while they're executed. This feature is reserved for the root user, while lower-privileged users cannot create such files. However, we discovered that it's possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges.
Practice
The target system is likely to be vulnerable if its an Ubuntu and has a kernel version lower than 6.2 and greater than 5.15.
Following versions are vulnerable (marked with a ✔):
| Release | Version | CVE-2023-2640 | CVE-2023-32629 |
|---|---|---|---|
Ubuntu 23.04 (Lunar Lobster) | |||
6.2.0 | ✔ | ✔ | |
Ubuntu 22.10 (Kinetic Kudu) | |||
5.19.0 | ✔ | ✔ | |
Ubuntu 22.04 LTS (Jammy Jellyfish) | |||
5.19.0 | ✔ | ✔ | |
6.2.0 | ✔ | ✔ | |
5.15.0 | ✘ | ✘ | |
Ubuntu 20.04 LTS (Focal Fossa) | |||
5.15.0 | ✘ | ✘ | |
5.4.0 | ✘ | ✔ | |
Ubuntu 18.04 LTS (Bionic Beaver) | |||
5.4.0 | ✘ | ✔ |
Resources
Last updated
