CVE-2021-3847: 
CBL Mariner vulnerability analysis and mitigation

CVE-2021-3847 is a privilege escalation vulnerability discovered in the Linux kernel OverlayFS subsystem. The vulnerability allows an unauthorized access to the execution of setuid files with capabilities. This security flaw was publicly disclosed on October 14, 2021, affecting Linux systems with support for overlayFS (Openwall Report).

The vulnerability exists in the way the OverlayFS handles file capabilities during the copyup operation. When a lower layer contains a file with capabilities on a nosuid mount, a low-privileged user can trigger a copyup operation by touching the file. During this process, the overlayFS driver copies the file along with its capabilities into the upper layer, preserving the security-sensitive extended attributes that should normally be restricted. This occurs because the copy_up operation is performed with the privileges of the mounting task rather than the current user's privileges (Openwall Discussion).

The vulnerability allows a low-privileged user to escalate their privileges to root level by exploiting the file capability preservation during the copyup operation. This occurs when copying a capable file from a nosuid mount into another mount, effectively bypassing the security extended attribute attachment restrictions that normally require CAPSYSADMIN or CAPSETFCAP privileges (Openwall Report).

No immediate patch was available at the time of disclosure, as the kernel cannot enforce the proposed mitigation without causing potential layering violations and regressions. The vulnerability is fundamentally related to how overlayFS operates, being effectively a just-in-time version of 'cp -a'. System administrators should carefully consider the security implications of mounting overlayFS where the lower layer is untrusted and the upper layer is trusted (Openwall Discussion).

Security researchers have noted that this vulnerability is part of a broader pattern of security issues with overlayFS, particularly in scenarios where lower-privileged users can simultaneously access lower/upper AND the mounted file system. Some experts have advised against using or allowing such configurations due to their inherent security risks (Openwall Discussion).