OSG-SEC-2023-04-25 CRITICAL Linux Kernel OverlayFS

Dear OSG Security Contacts,

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount (CVE-2023-0386). [2] An OSG collaborator was able to reproduce this privilege escalation using a FUSE filesystem mounted by an unprivileged user with fusermount, so the OSG security team considers the vulnerability to be CRITICAL.

IMPACTED VERSIONS:

RHEL 8 & 9 based Linux distributions [1] Note: RHEL 7 based Linux distributions are not impacted by this bug.

Various Debian [4] based and Ubuntu [3] distributions

WHAT ARE THE VULNERABILITIES:

This uid mapping bug allows a local user to escalate their privileges on the system.

WHAT YOU SHOULD DO:

Update your Linux kernels and reboot as soon as possible. Meanwhile the exploit can be mitigated by removing the "fuse" package which contains the fusermount command. This will prevent users from mounting any FUSE filesystem except through unprivileged user namespaces, and the exploit does not work through unprivileged user namespaces.

Patches are currently available for RHEL 8 & 9 and derivative distributions. For details about RHEL see reference [1].

Patches are also available for Ubuntu, Debian, and derivative Linux distributions. For details see references [3] and [4].

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2023-0386

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2159505

[3] https://ubuntu.com/security/CVE-2023-0386

[4] https://security-tracker.debian.org/tracker/CVE-2023-0386

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team