Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices.
Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million.
Two recent flaws tracked as CVE-2023-32629 and CVE-2023-2640 discovered by Wiz’s researchers S. Tzadik and S. Tamari were recently introduced into the operating system, impacting roughly 40% of Ubuntu’s userbase.
CVE-2023-2640 is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel caused by inadequate permission checks allowing a local attacker to gain elevated privileges.
CVE-2023-32629 is a medium-severity (CVSS v3 score: 5.4) flaw in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may lead to use-after-free, allowing a local attacker to perform arbitrary code execution.
The two analysts found the problems after discovering discrepancies in implementing the OverlayFS module onto the Linux kernel.
OverlayFS is a union mount filesystem implementation targeted by threat actors many times in the past due to allowing unprivileged access via user namespaces and being plagued by easily exploitable bugs.
Ubuntu, as one of the distributions using OverlayFS, had implemented custom changes to its OverlayFS module in 2018, which were generally safe.
However, in 2019 and 2022, the Linux kernel project made its own modifications to the module, which conflicted with Ubuntu’s changes.
The widespread distribution adopted the code containing these changes recently, and the conflicts caused the introduction of the two flaws.
Unfortunately, the risk of exploitation is imminent, as PoCs for the two flaws have been publicly available for a long time.
“Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module,” warned the Wiz researchers.
“Weaponized exploits for these vulnerabilities are already publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes.”
It should be noted that the two highlighted flaws only impact Ubuntu, and any other Linux distribution, including Ubuntu forks, not using custom modifications of the OverlayFS module should be safe.
Ubuntu has released a security bulletin about the issues and six more vulnerabilities addressed in the latest version of the Ubuntu Linux kernel and has made fixing updates available.
Users who don’t know how to reinstall and activate third-party kernel modules are recommended to perform the update via their package manager, which should take care of all dependencies and post-install configurations.
A reboot is required after installing the updates for the Linux kernel update to take effect on Ubuntu.