CVE-2023-2640: 
Linux Ubuntu vulnerability analysis and mitigation

CVE-2023-2640 is a privilege escalation vulnerability discovered in Ubuntu's OverlayFS module. The vulnerability was identified in July 2023 and affects Ubuntu kernels carrying both c914c0e27eb0 and 'UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs'. This vulnerability allows an unprivileged user to set privileged extended attributes on mounted files, which are then set on the upper files without appropriate security checks (Ubuntu Security, NVD).

The vulnerability exists in the OverlayFS implementation, which is a union filesystem that lays one filesystem on top of another. The issue stems from Ubuntu's modifications to the OverlayFS module, where the kernel uses an internal implementation of the function responsible for setting extended attributes (_vfssetxattrnoperm instead of vfssetxattr). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wiz Blog, NVD).

The vulnerability affects approximately 40% of Ubuntu cloud workloads. When exploited, it allows attackers to escalate privileges to root on affected machines. The vulnerability is particularly concerning because existing exploits for previous OverlayFS vulnerabilities can be used without modification to exploit this issue (Wiz Blog).

Ubuntu released fixed versions for the impacted kernels on July 24, 2023. For systems that cannot be immediately upgraded, a workaround is available by restricting user namespace usage. This can be accomplished by executing 'sudo sysctl -w kernel.unprivilegedusernsclone=0' or making it persistent across reboots with 'echo kernel.unprivilegedusernsclone=0 | sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf' (Wiz Blog, Ubuntu Security).