Vulnerabilities could expose Ubuntu users to privilege escalation attacks

Researchers have discovered two vulnerabilities in the Linux operating system Ubuntu with the potential to grant attackers escalated privileges.

The two bugs impact OverlayFS, a widely installed Linux filesystem used for containerization on cloud servers with technologies like Docker and Kubernetes.

After being notified of the vulnerabilities by researchers with the cloud security firm Wiz in June, Ubuntu released patches for both on Tuesday.

The issues are unique to Ubuntu, which is just one version of the open-source Linux OS. They stem from modifications Ubuntu made in 2018 to its own version of the OverlayFS module — specifically, the setting of extended attributes, which define user permissions.

When Linux released a fix for a vulnerability in 2020 related to extended attributes, the patch didn’t carry over in Ubuntu due to the modification. Then in 2022, “additional OverlayFS modifications by Linux” meant “a second vulnerable flow was introduced that shares the same root cause,” Wiz said.

"Subtle changes in the Linux kernel introduced by Ubuntu many years ago have unforeseen implications,” said Ami Luttwak, Wiz chief technical officer and co-founder. “We found two privilege escalation vulnerabilities caused by these changes and who knows how many other vulnerabilities are still lurking in the shadows of the Linux kernel spaghetti?"

Tracked as the high-severity CVE-2023-2640 and medium-severity CVE-2023-32629, the two flaws potentially allow attackers to gain elevated privileges on a Linux kernel and to perform local code execution.

The estimated scope is significant, with researchers saying that some 40% of Ubuntu systems could have been impacted. According to Canonical, the for-profit company behind Ubuntu, its desktop version was installed more than 20 million times last year.

“The vulnerabilities shown here do highlight how the relationships between Linux kernel development and individual distributions adding their own special tweaks can have unforeseen consequences,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “Fortunately, while these vulnerabilities would be easy to exploit, they require local user access which should limit the attack surface.”