Introduction to Ubuntu OverlayFS Privesc Vulnerability

CVE-2021-3493 is an Ubuntu-specific issue in the OverlayFS file system in the Linux kernel where it did not properly validate the application of file system capabilities to use namespaces. A local attacker could use this to gain elevated privileges, due to a patch carried in Ubuntu to allow unprivileged OverlayFS mounts.


This Document illustrates the Exploitation of the vulnerability found in Ubuntu in which the OverlayFS file system allows local users under Ubuntu to gain root privileges. The Vulnerability was reported by an independent security researcher to the SSD Secure Disclosure program and was allotted CVE on 04/17/2021.


OverlayFS is a union mount filesystem on Linux. It is a Linux kernel module that allows the system to combine several mount points into one so that you can access all the files from each within one directory structure.

It is often used by live USBs or some other specialist applications. One use is having a read-only root file system and another partition overlayed with that to allow applications to write a temporary file system.


Mount is a process by which the operating system makes files and directories on a storage device (such as hard drive, CD-ROM, or network share) available for users to access via the computer's file system.

Union Mount

Union mount is a way of combining multiple directories into one that appears to contain their combined contents.

File Capabilities

File capabilities aim to provide fine-grained control over root permissions. These capabilities are a partitioning of all root privileges into a set of distinct and independent privileges. Using these functionalities reduces/prevents the need to switch as the root user.

Exploit Working

The exploit is done by executing a C file on the machine. If the system is vulnerable, you can escalate very easily from any user to root as long as you can run a binary.

The exploit used requires a GCC compiler installed on the system, if there is not a C compiler installed on the machine, you can compile the binary statically elsewhere and copy just the binary over.


  • Base Score - 7.8
  • Impact Score - 5.9
  • Exploitability Score - 1.8
  • Severity - HIGH

Scope Impact:

The scope of this vulnerability is that the attacker can have access to all commands and files on a vulnerable machine.

Affected Versions

  • Ubuntu 20.10
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Unaffected Versions

Another distribution of Linux is not affected because this issue is likely Ubuntu-specific, as Ubuntu carries a patch to enable unprivileged overlayfs mounts.


A commit that addresses the issue was applied in the upstream kernel:

7c03e2cda4a5 ("vfs: move cap_convert_nscap () call into vfs_setxattr ()") (v5.10)

It was added prior to the upstream kernel commit allowing unprivileged overlayfs mounts:

459c7c565ac3 ("ovl: unprivileged mounts") (v5.11)

The problem can be corrected by updating your kernel live patch to the following versions:
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment