Two high-severity security flaws in the Ubuntu kernel, which were discovered and disclosed by cybersecurity researchers from the cloud security firm Wiz. These flaws are tracked as CVE-2023-2640 and CVE-2023-32629, with respective CVSS scores of 7.8.
CVE-2023-2640: This vulnerability can be exploited when certain conditions are met in Ubuntu kernels that have both the commit c914c0e27eb0 and the “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs” modification. An unprivileged user can set privileged extended attributes on mounted files, and these attributes will be applied to the upper files without appropriate security checks. CVE-2023-32629: This local privilege escalation vulnerability occurs in Ubuntu kernels that use OverlayFS. Specifically, it relates to the ovl_copy_up_meta_inode_data function, where permission checks are skipped when calling ovl_do_setxattr.
The vulnerabilities are collectively referred to as “GameOver(lay)” and are particularly impactful, as they can be exploited to craft an executable file with scoped file capabilities and deceive the Ubuntu Kernel into copying it to a different location with unscoped capabilities, thereby granting the execution of the file root-like privileges. It is worth noting that the affected versions of Ubuntu are prevalent in cloud environments as they are commonly used as default operating systems for multiple cloud service providers. The vulnerabilities have been responsibly disclosed to Ubuntu, and as of July 24, 2023, Ubuntu has fixed these issues.
The researchers highlighted that these vulnerabilities are unique to Ubuntu kernels due to specific changes made by Ubuntu to the OverlayFS module. This underscores the fact that seemingly innocuous modifications to the Linux kernel could have unforeseen and significant security implications.
