CVE-2021-3493 is an Ubuntu-specific issue in the OverlayFS file system in the
Linux kernel where it did not properly validate the application of file system
capabilities to use namespaces. A local attacker could use this to gain
elevated privileges, due to a patch carried in Ubuntu to allow unprivileged
OverlayFS mounts.
Introduction
This Document illustrates the Exploitation of the vulnerability found in
Ubuntu in which the OverlayFS file system allows local users under Ubuntu to
gain root privileges. The Vulnerability was reported by an independent
security researcher to the SSD Secure Disclosure program and was allotted CVE
on 04/17/2021.
OverlayFS
OverlayFS is a union mount filesystem on Linux. It is a Linux kernel module
that allows the system to combine several mount points into one so that you
can access all the files from each within one directory structure.
It is often used by live USBs or some other specialist applications. One use
is having a read-only root file system and another partition overlayed with
that to allow applications to write a temporary file system.
Mount
Mount is a process by which the operating system makes files and
directories on a storage device (such as hard drive, CD-ROM, or network share)
available for users to access via the computer's file system.
Union Mount
Union mount is a way of combining multiple directories into one that appears
to contain their combined contents.
File Capabilities
File capabilities aim to provide fine-grained control over root
permissions. These capabilities are a partitioning of all root privileges into
a set of distinct and independent privileges. Using these functionalities
reduces/prevents the need to switch as the root user.
Exploit Working
The exploit is done by executing a C file on the machine. If the system is
vulnerable, you can escalate very easily from any user to root as long as
you can run a binary.
The exploit used requires a GCC compiler installed on the system, if there
is not a C compiler installed on the machine, you can compile the binary
statically elsewhere and copy just the binary over.
CVSSv3:
- Base Score - 7.8
- Impact Score - 5.9
- Exploitability Score - 1.8
- Severity - HIGH
Scope Impact:
The scope of this vulnerability is that the attacker can have access to all
commands and files on a vulnerable machine.
Affected Versions
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
Unaffected Versions
Another distribution of Linux is not affected because this issue is likely
Ubuntu-specific, as Ubuntu carries a patch to enable unprivileged overlayfs
mounts.
Mitigation
A commit that addresses the issue was applied in the upstream kernel:
7c03e2cda4a5 ("vfs: move cap_convert_nscap () call into vfs_setxattr ()")
(v5.10)
It was added prior to the upstream kernel commit allowing unprivileged
overlayfs mounts:
459c7c565ac3 ("ovl: unprivileged mounts") (v5.11)
The problem can be corrected by updating your kernel live patch to the
following versions:
We hope this helps. If any suggestions or doubts you can add a comment and we
will reply as soon as possible.
No comments:
Post a Comment