Wiz researchers Sagi Tzadik and Shir Tamari have identified a pair of vulnerabilities that are estimated to be affecting two in five Ubuntu users, so users of the popular Linux distro are being urged to update now.
The vulnerabilities, being tracked as CVE-2023-32629 and CVE-2023-2640, were both dealt with in the latest patch available for Ubuntu 23.04 Lunar Lobster.
Still, many users won’t have applied the necessary update yet which is problematic because Tzadik and Tamari say that exploits for these vulnerabilities are already publicly available.
Update your Ubuntu now
Both problems stem, say the researchers, from when the Linux kernel project made modifications to the OverlayFS module in 2019 and 2022, which conflicted with Ubuntu’s earlier changes. When the new code was adopted by Ubuntu, both CVEs became apparent.
The Wiz advisory reads: “OverlayFS serves as an attractive attack surface for local privilege escalation since it is often accessible to unprivileged users via user namespaces, it has a history of numerous logical vulnerabilities that were easy to exploit, and it has a relatively active code base.”
For both CVE-2023-32629 and CVE-2023-2640, Ubuntu said: “the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations.” This led to the potential for a local attacker to gain elevated privileges.
At the same time, Linux applied fixes for six other vulnerabilities. Ubuntu says that a reboot is required after an update to ensure that the changes have taken effect.
Given the far reach of these vulnerabilities because of the popularity of OverlayFS, and their severity (one marked as high, the other as medium), users should look to apply updates even if they are unsure of their particular setups or that they think they have already updated recently.
