If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Information was released about a vulnerability detected in linux kernel in the OverlayFS file system implementation (listed under CVE-2023-0386).
Failure can be used to gain root access on systems that have the FUSE subsystem installed and allow mounting of OverlayFS partitions by a non-privileged user (starting with Linux kernel 5.11 with the inclusion of a non-privileged user namespace).
El ataque is done by copying files with setgid/setuid flags from a partition mounted in nosuid mode to an OverlayFS partition that has a layer associated with the partition that allows execution of suid files.
A flaw was found in the Linux kernel where unauthorized access to the execution of setuid file with capabilities was found in the OverlayFS subsystem of the Linux kernel in the form of a user copying a file capable from one nosuid mount to another mount . This uid assignment error allows a local user to increase her privileges on the system.
Vulnerability is similar to issue CVE-2021-3847 identified in 2021, but differs in lower exploit requirements: the old issue required manipulation of xattrs, which is limited to the use of user namespaces (usernamespace), and the new issue uses setgid /setuid bits that are not handled specifically in the username space.
An attacker with a low privileged user on a Linux machine with an overlay mount that has a file capability in one of its layers can escalate their privileges to root by copying a compatible file from one nosuid mount to another mount. This vulnerability is similar to CVE-2021-3847 , but requires fewer permissions to run, so it has a higher priority.
Attack algorithm:
- With the help of the FUSE subsystem, a file system is mounted, in which there is an executable file owned by the root user with the setuid / setgid flags, available for all users to write. On mounting, FUSE sets the mode to "nosuid".
- Stop sharing user namespaces and mount points (user/mount namespace).
- OverlayFS mounts with the FS previously created in FUSE as the bottom layer and the top layer depending on the write directory. The top layer directory must be located on a file system that does not use the "nosuid" flag when mounting.
- For a suid file in the FUSE partition, the touch utility changes the modification time, bringing its copy to the top layer of OverlayFS.
- When copying, the kernel does not remove the setgid/setuid flags, which causes the file to appear in a partition that can be processed by setgid/setuid.
- To get root rights, just run the file with the setgid/setuid flags from the directory attached to the OverlayFS top layer.
About the vulnerability solution, it should be mentioned that this it was fixed in the 6.2 kernel branch. If you want to know more about publishing package updates in distributions, you can see it on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch .
In addition, we can point out the disclosure of information from researchers on the Google Project Zero team about three vulnerabilities that were fixed in the main branch of the Linux 5.15 kernel, but they were not ported to the RHEL 8.x/9.x kernel packages and CentOS 9 stream.
- CVE-2023-1252: Access to an already freed memory area in the ovl_aio_req structure while performing several operations at the same time in OverlayFS implemented on the Ext4 file system. Potentially, the vulnerability allows you to increase your privileges on the system.
- CVE-2023-0590: Refers to a memory area already freed in the qdisc_graft() function. The operation is supposed to be limited to abort.
- CVE-2023-1249: access to the memory area already freed in the dump input code due to a missed mmap_lock call in file_files_note. The operation is supposed to be limited to abort.