CVE-2023-0386: A New Linux Kernel Vulnerability Puts Systems at Risk

A new vulnerability has been discovered in the Linux kernel that could potentially allow local attackers to escalate their privileges on a system. Designated as CVE-2023-0386, this vulnerability has been assigned a CVSS score of 7.0, indicating a high level of severity. The flaw resides in the Linux kernel’s OverlayFS subsystem, specifically in how the setuid file with capabilities is executed.

Photo by Gabriel Heinzer on Unsplash

The Vulnerability: CVE-2023-0386

The vulnerability lies in the Linux kernel’s OverlayFS subsystem, which handles unauthorized access to the execution of the setuid file with capabilities. An attacker with low privileges on a Linux machine that has an overlay mount, containing a file capability in one of its layers, can escalate their privileges up to root by copying a capable file from a nosuid mount into another mount. CVE-2023-0386 shares similarities with CVE-2021-3847 but requires fewer permissions to execute, making it a higher priority.

Exploiting the Vulnerability: A Step-by-Step Guide

1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable.
2. Unshare user/mount namespaces
3. Mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`.
4. Touch the file at the merged path to update its mtime, which will trigger a copy-up of the file
5. The setuid/gid bitsare not cleared by the kernel, so the upper directory will contain a copy of the binary with the setuid bits.
6. Run the binary from the upper dir and it will run as root

Comparing CVE-2023-0386 and CVE-2021-3847

CVE-2021-3847 specifically involves file capabilities (xattrs) and requires physical access through USB mounts, which is often disabled in production environments. Conversely, CVE-2023-0386 leverages setgid/setuid bits that are not user-namespace specific and does not require physical access. FUSE, which is installed in many production environments (including Ubuntu out of the box and Red Hat/Fedora with popular packages), makes this vulnerability more dangerous.

Protect your system

CVE-2023-0386 poses a significant threat to Linux systems, as it allows local attackers to escalate their privileges and potentially compromise the entire system. Given the widespread use of Linux in both personal and enterprise environments, this vulnerability should be addressed with urgency. Linux users should be vigilant in keeping their systems up to date and monitoring for patches to mitigate the risk associated with this high-severity flaw.