In today's fast-changing digital world, cybersecurity is crucial to keep our virtual assets safe from lurking threats. Today, we'll explore Ubuntu Linux and a serious security concern known as "GameOver(lay)". It involves two vulnerabilities, CVE-2023-2640 and CVE-2023-32629, discovered by Wiz security team. The two vulnerabilities are found in the widely-used OverlayFS module, a popular part of Linux used in containers, which are like virtual boxes for apps.
In this context, having a reliable risk-based vulnerability management service, like the one offered by Armoryze, can play a significant role in enhancing security measures. Such services help organizations identify and prioritize potential vulnerabilities, making it easier to protect critical systems from potential exploits like "GameOver(lay)." By understanding the vulnerability risks and addressing them proactively, businesses can bolster their cybersecurity defenses and ensure a safer digital environment for their valuable assets.
Understanding the GameOver(lay) CVEs:
CVE-2023-2640: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
A Closer Look at OverlayFS:
OverlayFS is a special type of filesystem that allows one filesystem to be placed on top of another without changing the original. This is particularly useful in container setups, where it keeps the base image intact while allowing for changes to be made easily. However, this flexibility also makes OverlayFS attractive to hackers as it creates a potential entry point for attacks.
GameOver(lay) takes advantage of vulnerabilities that have existed in OverlayFS for some time. This means the same tricks used in past attacks can be used again without any changes. This makes the current vulnerabilities even more dangerous because attackers can easily use old methods that are well-known and readily available.
The journey into GameOver(lay) vulnerabilities started with changes made to the OverlayFS module in Ubuntu back in 2018. Initially, these modifications seemed harmless and didn't raise any concerns. However, as the Linux project made further changes, unforeseen consequences began to unravel, leading to the discovery of vulnerabilities that demand our attention.
Important Dates in the Vulnerability Chain:
1. January 29, 2018: Ubuntu made a decision to use an internal implementation (__vfs_setxattr_noperm) for setting extended attributes, without realizing the implications it would have for future events.
2. December 14, 2020: Linux discovered and addressed a new vulnerability in OverlayFS, adding stronger protections to the vfs_setxattr function. However, Ubuntu's continued reliance on __vfs_setxattr_noperm left a vulnerable flow unresolved.
3. April 28, 2022: Linux introduced further modifications to OverlayFS, resulting in a second vulnerable flow that shared the same root cause.
These dates mark crucial milestones in the vulnerability chain, highlighting the sequence of events that ultimately led to the discovery of the vulnerabilities we are currently addressing.
Who is vulnerable?
Identifying the vulnerable parties can be challenging due to the numerous releases available for Ubuntu. However, our research team has successfully pinpointed the impacted versions, which are as follows:
Vulnerability Detection & Mitigation Strategies:
Protecting against these vulnerabilities requires two key steps: establishing a user namespace and an OverlayFS mount. This means attackers would need to execute code on the targeted system, making remote attacks unlikely.
To stay safe, Ubuntu users should upgrade to the fixed versions of the impacted kernels (see the list above) as soon as possible. If upgrading is not immediately possible, an alternative solution is to limit the user namespace usage to users with restricted privileges to prevent potential exploitation.
To apply this restriction, use the command:
sudo sysctl -w kernel.unprivileged_userns_clone=0
For those who want the protection to persist after restarting the system, run this command:
echo kernel.unprivileged_userns_clone=0 | \
sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Additionally, organizations can take advantage of advanced Armoryze risk-based vulnerability management service to gain valuable insights into potential risks and vulnerabilities. By leveraging such proactive measures, businesses can enhance their cybersecurity defenses, ensuring a secure digital environment without compromising on performance or efficiency.
In the face of ever-evolving cybersecurity threats, it is imperative to remain vigilant and proactive in safeguarding our digital assets. The vulnerabilities uncovered in Ubuntu Linux's OverlayFS module, known as GameOver(lay), underscore the importance of risk-based vulnerability management services, like the one offered by Armoryze. By understanding the intricacies of kernel interactions and the implications of open-source project modifications, we can empower our defenders with the knowledge they need to protect against potential adversaries.
GameOver(lay) reminds us that even the most trusted and widely-used software can be vulnerable, emphasizing the need for continuous monitoring and proactive measures. Upgrading to fixed versions, implementing user namespace restrictions, and leveraging advanced vulnerability management services are essential steps in mitigating risks effectively.
At Armoryze, we are committed to helping businesses strengthen their cybersecurity defenses through our risk-based vulnerability management service. By scheduling a FREE consultation with our team, you can gain valuable insights into your organization's potential vulnerabilities and take action to address them proactively.
Let us work together to fortify our defenses and create a safer digital environment for all. With Armoryze at your side, you can confidently face future challenges and stay ahead of emerging threats. Protecting your valuable assets is not just a responsibility; it's a necessity in today's fast-changing digital world. Take the first step towards a more secure future by scheduling your FREE consultation with Armoryze today. Together, we can ensure a resilient and secure cyber landscape for your organization and beyond.