Ubuntu Security Alert: GameOver(lay) Vulnerabilities in the Kernel

Recently, cybersecurity researchers have revealed two critical security flaws in the Ubuntu kernel that could potentially enable local privilege escalation attacks. The disclosure has sent ripples through the cybersecurity community, raising significant concerns given the implications for nearly 40% of all Ubuntu users.

These vulnerabilities, tagged as CVE-2023-2640 and CVE-2023-32629 and aptly named GameOver(lay), are present in a kernel module called OverlayFS. This module functions as a union mount filesystem, effectively merging multiple directory trees or filesystems into a singular, cohesive filesystem.

Both flaws were identified as a result of insufficient permissions checks in particular situations, providing a window for local attackers to secure elevated privileges. Here's a brief  info on the vulnerabilities:

• CVE-2023-2640: On Ubuntu kernels containing specific code, an unprivileged user could set privileged extended attributes on mounted files without the necessary security checks. This could lead to inappropriate permissions being set on files.
• CVE-2023-32629: This is a local privilege escalation vulnerability in Ubuntu Kernels' OverlayFS that skips permission checks when performing certain operations.

In more accessible terms, these vulnerabilities could enable an attacker to devise an executable file with scoped file capabilities and trick the Ubuntu Kernel into relocating it with unscoped capabilities. This, in essence, could provide anyone who executes it with root-like privileges.

In OverlayFS, upon file modifications, the kernel copies the file from the “lower” to the “upper” directory. We can trick the kernel into copying the original scoped executable to the “upper” directory with unscoped capabilities, so the new file written by the kernel is weaponized.

The vulnerabilities have since been patched by Ubuntu following responsible disclosure, with fixes issued on July 24, 2023.

The discovery of these vulnerabilities underscores the unpredictable effects of subtle changes to the Linux kernel made by Ubuntu. Wiz CTO and co-founder Ami Luttwak commented, "Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module."

Indeed, the problems identified have parallels with other vulnerabilities such as CVE-2016-1576, CVE-2021-3493, CVE-2021-3847, and CVE-2023-0386. As these vulnerabilities become more common, the importance of staying vigilant and regularly updating systems grows exponentially. For now, the battle with GameOver(lay) has been won, but the war for cybersecurity continues.