Linux Kernel OverlayFS Vulnerability (CVE-2023-0386)

[Fleury, Terry]

CI Operators:

A bug in the Linux kernel overlayFS implementation has been discovered [1] which allows an attacker with a low-privileged account on a Linux machine to copy a file from a nosuid mount to a mount without such restriction while preserving the file’s setuid, setgid, and capabilities. This issue has been assigned CVE-2023-0386 [2] with a CVSSv3 score of 7.8.

 

Impact:

A local unprivileged user can exploit this bug to escalate privileges to root. This has been demonstrated by using a FUSE filesystem mounted by an unprivileged user via "fusermount", although there may be other attacks that do not rely on FUSE.

 

Affected Software: 

* Linux kernel < v.6.2-rc6 (most major Linux distributions)

 

Recommendation:

If your Linux system has local unprivileged users, update to the latest Linux kernel for your distribution and reboot. RHEL 7 variants are not affected, but RHEL 8/9, Debian, and Ubuntu are affected [3,4,5]. Some advice suggests taking action to restrict or remove access to FUSE as a mitigation strategy, however CI operators should also consider other ways to introduce a setuid/setgid executable to the host, such as an NFS server shared with an external or less-trusted host.

 

When such conditions exist, removing access to FUSE may not be sufficient. In those cases, CI operators should consider disabling overlayFS support (provided by the “overlay” kernel module, if not compiled in), and/or ensuring that all areas writable by unprivileged users are mounted with the “nosuid” and “nodev” flags.

 

References:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2159505

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0386 

[3] https://access.redhat.com/security/cve/CVE-2023-0386 

[4] https://security-tracker.debian.org/tracker/CVE-2023-0386 

[5] https://ubuntu.com/security/CVE-2023-0386 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.