Wiz Discovers Two Vulnerabilities in Ubuntu's OverlayFS module

Category: Vulnerability | Industry: Global | Source: Wiz

A pair of privilege escalation vulnerabilities, CVE-2023-2640 and CVE-2023-32629, have been discovered in Ubuntu's OverlayFS implementation by security researchers Sagi Tzadik and Shir Tamari from Wiz. Dubbed as GameOver(lay), these kernel-level vulnerabilities CVE-2023-2640 and CVE-2023-32629 have been assigned respective CVSS scores of 7.8 (high-severity) and 5.4 (medium-severity). "OverlayFS is a potential security concern and an interesting attack surface. It allows users to mask other filesystems and perform unintended operations against them," as detailed in Wiz's report. The impact of these vulnerabilities is significant, potentially affecting around 40% of the Ubuntu user base.

Ubuntu's incorporation of OverlayFS started with their own custom configurations in 2018. However, in subsequent years, specifically in 2019 and 2022, the Linux kernel project introduced its own modifications to the module, leading to conflicts with Ubuntu's existing changes. These conflicts gave way to the vulnerabilities identified by Wiz.  Wiz reported the vulnerabilities to Ubuntu on June 23rd, 2023, and in response, Ubuntu released patches on July 25th, 2023. Impacted Ubuntu users are strongly urged to apply the patches, as proof-of-concept (PoC) exploits for these vulnerabilities have been publicly available.