A vulnerability has been identified in the Linux kernel in the implementation of the OverlayFS file system (CVE-2023-0386), which can be used to gain root access on systems that have the FUSE subsystem installed and allow mounting of OverlayFS partitions by an unprivileged user (starting with the Linux 5.11 kernel with the inclusion of unprivileged user namespace). The issue has been fixed in the 6.2 kernel branch. The publication of package updates in distributions can be tracked on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
The attack is performed by copying files with setgid/setuid flags from a partition mounted in nosuid mode to an OverlayFS partition that has a layer associated with the partition that allows suid files to execute. The vulnerability is similar to the CVE-2021-3847 issue identified in 2021, but differs in lower exploitation requirements - the old issue required manipulation with xattrs, which are limited to using user namespaces (user namespace), and the new issue uses bits setgid/setuid which are not specifically handled in the user namespace.
Attack algorithm:
- With the help of the FUSE subsystem, a file system is mounted, in which there is an executable file owned by the root user with the setuid / setgid flags, available to all users for writing. When mounting, FUSE sets the mode to "nosuid".
- Unshare user namespaces and mount points (user/mount namespace).
- OverlayFS is mounted with the FS previously created in FUSE as the bottom layer and the top layer based on the writable directory. The top layer directory must be located in a file system that does not use the "nosuid" flag when mounted.
- For a suid file in the FUSE partition, the touch utility changes the modification time, which leads to its copying to the top layer of OverlayFS.
- When copying, the kernel does not remove the setgid/setuid flags, which causes the file to appear on a partition that can be processed by setgid/setuid.
- To obtain root rights, it is enough to run the file with the setgid/setuid flags from the directory attached to the top layer of OverlayFS.
Additionally, we can note the disclosure by researchers from the Google Project Zero team of information about three vulnerabilities that were fixed in the main branch of the Linux 5.15 kernel, but were not ported to kernel packages from RHEL 8.x/9.x and CentOS Stream 9.
- CVE-2023-1252 - Accessing an already freed memory area in the ovl_aio_req structure while performing several operations at the same time in OverlayFS deployed on top of the Ext4 file system. Potentially, the vulnerability allows you to increase your privileges in the system.
- CVE-2023-0590 - Referring to an already freed memory area in the qdisc_graft() function. Operation is assumed to be limited to abort.
- CVE-2023-1249 - Access to an already freed memory area in coredump entry code due to missing mmap_lock call in file_files_note. Operation is assumed to be limited to abort.
Source: opennet.ru