Two vulnerabilities in the Ubuntu implementation of a popular container-based file system have been discovered by researchers at cloud security firm Wiz. These vulnerabilities, known as CVE-2023-2640 and CVE-2023-32629, have been dubbed “GameOverlay” by the researchers. They allow attackers to execute code with root privileges on 40% of Ubuntu Linux cloud workloads.
The vulnerabilities are found in the OverlayFS module of Ubuntu Linux, and they are the result of changes made by Ubuntu to the module in 2018. At the time, these changes posed no threat. However, the researchers have found that these changes inadvertently created the two vulnerabilities when Ubuntu adopted other changes made by the Linux kernel project in 2019 and 2022.
One of the researchers, Sagi Tzadik, explained that the vulnerabilities are unique to Ubuntu kernels because they stemmed from Ubuntu’s individual changes to the OverlayFS module. Furthermore, given that the vulnerabilities are the result of changes made years ago, it suggests that there may be other issues lurking in the Linux kernel.
Both vulnerabilities are easy to exploit, and weaponized exploits for them are already publicly available. This is because old exploits for past OverlayFS vulnerabilities work without any changes. As a result, the researchers are urging Ubuntu users to patch their systems immediately to mitigate the risks.
The vulnerabilities in OverlayFS, which is a Linux filesystem used in container-based cloud environments, highlight a common issue for Linux. As an open-source operating system, Linux has grown exponentially in popularity, making it a bigger target for threat actors. The researchers noted that the versions of Ubuntu affected by the vulnerabilities are prevalent in the cloud, as they are the default OS for multiple cloud service providers.
While open source has its advantages, it also comes with challenges. Developers have the freedom to update the OS code base to suit specific deployment needs, which can create conflicts with the standard Linux kernel. This complex relationship between the Linux kernel and distro versions introduces hard-to-predict risks.
To mitigate the vulnerabilities, Wiz recommends that affected Ubuntu-based cloud environments immediately patch their workloads. They can also restrict OverlayFS to root users only as a simpler mitigation. The researchers advise administrators to refer to Ubuntu’s security advisory for each vulnerability and follow the provided steps for mitigation.
Overall, administrators of cloud environments should ensure that all software running in container-based environments is up to date to mitigate known vulnerabilities. They should also have visibility into all their software assets across the entire cloud and promptly apply patches. Additionally, limiting Internet exposure to essential assets and enforcing strict permissions can help reduce the attack surface.
The discovery of these vulnerabilities serves as a reminder of the ongoing security challenges faced by the Linux community. As Linux continues to grow in popularity, it becomes increasingly important to address vulnerabilities promptly and implement robust security measures to protect cloud environments.