Ubuntu Linux Cloud Workloads Face Rampant Root Take Takeovers

Two vulnerabilities in the Ubuntu implementation of a popular container-based file system allow attackers to execute code with root privileges on 40% of Ubuntu Linux cloud workloads, researchers have found.

The flaws — tracked as CVE-2023-2640 and CVE-2023-32629 and dubbed "GameOverlay" by Wiz researchers — are found in the OverlayFS module of Ubuntu Linux and are the result of changes Ubuntu made to the module in 2018, which, at the time, posed no threat, researchers from cloud security firm Wiz revealed in a blog post.

Both vulnerabilities are easy to exploit; in fact, weaponized exploits for them already are publicly available "given old exploits for past OverlayFS vulnerabilities work out of the box without any changes," Wiz's Sagi Tzadik and Shir Tamari noted in the post.

Linux Kernel Security "Spaghetti"

OverlayFS is a Linux filesystem enabling the deployment of dynamic filesystems based on pre-built images, which has made it a popular choice for container-based cloud environments that run on the open-source OS.

The Linux kernel project modified the OverlayFS module in 2019 and 2022 in ways that conflicted with Ubuntu's 2018 changes. Thus, when Ubuntu adopted the Linux project's changes, it inadvertently created in its version of the OS the two CVEs, one in 2019 (CVE-2023-32629) and the other (CVE-2023-2640) in 2022, the researchers said.

"Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module," they wrote.

What's more, since the flaws are the result of subtle changes introduced by Ubuntu years ago, it suggests they may not be the only issues lurking in "the shadows of the Linux kernel spaghetti," Wiz CTO and co-founder Ami Luttwak observes in an email to Dark Reading.

How Elevated User Privileges Occur

Ubuntu has patched the flaws, among several others, in a security update released this week. Both flaws, discovered by Tzadik and Tamari, cause OverlayFS running on Ubuntu Linux to fail to perform permission checks properly in certain situations, allowing a local attacker to elevate privileges on the system, according to the update.

The flaws, while separate, create similar exploitable scenarios, yet affect slightly different versions of the kernel. They both affect a feature of OverlayFS that allows the file system to be mounted by any user within a user "namespace," which, in turn, enables the mapping of user and group IDs between the host and a new, separated execution environment, like in a namespace or container. This ensures user isolation and privilege separation in Linux-based cloud deployments.

"When a low-privileged Linux user enters a new user namespace, they are automatically granted all Linux capabilities within that namespace," the researchers wrote. "These capabilities empower them to perform some administrative-like operations, such as mounting a set of filesystems."

Exploiting the flaws allow the creation of specialized executables that, when executed, grant the ability to escalate privileges to "root" on the affected machine. An attacker can then exploit a Linux feature — only available to a root user — called "file capabilities" that grant elevated privileges to executables while they're executed.

"We discovered that it's possible to craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges," the researchers wrote.

Linux's Security Dilemma

The vulnerabilities highlight a common issue for Linux, which has remained open source even as its distribution base has grown exponentially, thus making it a bigger target for threat actors, particularly across cloud environments. In fact, the versions of Ubuntu impacted by the flaws are prevalent in the cloud, as they serve as the default OSes for multiple cloud service providers (CSPs), the researchers said.

While open source certainly has its advantages, it also comes with challenges. In this case, since developers have free rein to update the OS code base to suit the particular needs of a deployment, it creates conflict with the Linux kernel that's maintained as the standard, the researchers noted.

"This shows the complex relationship between Linux kernel and distro versions, when both are updating the kernel for different use cases," they wrote. "This complexity introduces … hard-to-predict risks."

Mitigation & Protection for Ubuntu Cloud Vulns

Wiz recommends that security teams of affected Ubuntu-based cloud environments immediately patch workloads affected by the flaws to mitigate risks. They also can apply a simpler mitigation — that is, "restricting OverlayFS to root users only," Raaz Herzberg, head of product, tells Dark Reading.

He advises administrators to refer to Ubuntu's security advisory on each the flaws — and follow steps for mitigation found there. Those instructions can be found here for CVE-2023-32629 and here for CVE-2023-2640.

Overall, administrators of cloud environments should keep all software running in container-based environments up-to-date to mitigate known vulnerabilities, and ensure they have visibility into all of their software assets across the entire cloud to stay on top of patching, Herzberg advises.

They also should limit Internet exposure only to the assets that absolutely need it to perform their essential functions and enforce strict permissions across the environment to limit the attack surface, he adds.