Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-32629
CVE-2023-32629:
Linux Ubuntu vulnerability analysis and mitigation
Overview
CVE-2023-32629 is a local privilege escalation vulnerability discovered in the Ubuntu Linux kernel's OverlayFS implementation. The vulnerability was discovered by Shir Tamari and Sagi Tzadik and disclosed in June 2023. The issue affects Ubuntu kernels where overlayfs ovlcopyupmetainodedata skips permission checks when calling ovldo_setxattr. This vulnerability has a CVSS score of 7.8 (High) (Ubuntu Security, NVD).
Technical details
The vulnerability exists in the OverlayFS module, which is a union filesystem that allows one filesystem to be overlaid on top of another. The issue stems from Ubuntu's modifications to the OverlayFS module, specifically in the ovldosetxattr function which calls _vfssetxattrnoperm directly instead of vfssetxattr. This implementation fails to properly convert file security capabilities to limit them to a user namespace before copying them to the upper directory. The vulnerability can be triggered when mounting OverlayFS with metacopy=on, where only file metadata is copied instead of the entire file (Wiz Blog).
Impact
The vulnerability allows local attackers to gain elevated privileges on affected systems. When successfully exploited, an attacker can escalate privileges to root level, potentially gaining complete control over the system. The vulnerability affects approximately 40% of Ubuntu cloud workloads and is particularly concerning because existing exploits for previous OverlayFS vulnerabilities can be used without modification (Wiz Blog).
Mitigation and workarounds
Ubuntu has released patches for affected versions. If immediate patching is not possible, a workaround is available by disabling unprivileged user namespace creation. This can be done temporarily using 'sudo sysctl -w kernel.unprivilegedusernsclone=0' or permanently by adding the setting to /etc/sysctl.d/99-disable-unpriv-userns.conf. Users are strongly advised to update their kernels to the latest version (Ubuntu Security, Wiz Blog).
Community reactions
The vulnerability has garnered significant attention due to its wide impact on Ubuntu systems and its ease of exploitation. Security researchers have dubbed it 'GameOver(lay)' along with its companion vulnerability CVE-2023-2640, highlighting the serious nature of these security flaws. The discovery also sparked discussions about the risks of modifying complex open-source projects, as Ubuntu's initial kernel modifications appeared harmless but became problematic after subsequent Linux kernel changes (Wiz Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management