Ubuntu Linux Cloud Workloads Face Rampant Root Take Takeovers

  /     /     /  
Publicated : 23/11/2024   Category : security


Ubuntu Linux Cloud Workloads Face Rampant Root Take Takeovers


Some 40% of Ubuntu Linux cloud workloads subject to GameOverlay security bugs in the OverlayFS module.



Two vulnerabilities in the Ubuntu implementation of a popular container-based file system allow attackers to execute code with root privileges on 40% of Ubuntu Linux cloud workloads, researchers have found.
The flaws — tracked as
CVE-2023-2640
and
CVE-2023-32629
 and dubbed GameOverlay by Wiz researchers — are found in the OverlayFS module of Ubuntu Linux and are the result of changes Ubuntu made to the module in 2018, which, at the time, posed no threat, researchers from cloud security firm Wiz revealed
in a blog post
.
Both vulnerabilities are easy to exploit; in fact, weaponized exploits for them already are publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes, Wizs Sagi Tzadik and Shir Tamari noted in the post.
OverlayFS is a
Linux
filesystem enabling the deployment of dynamic filesystems based on pre-built images, which has made it a popular choice for container-based cloud environments that run on the open-source OS.
The Linux kernel project modified the OverlayFS module in 2019 and 2022 in ways that conflicted with Ubuntus 2018 changes. Thus, when Ubuntu adopted the Linux projects changes, it inadvertently created in its version of the OS the two CVEs, one in 2019 (CVE-2023-32629) and the other (CVE-2023-2640) in 2022, the researchers said.
Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntus individual changes to the OverlayFS module, they wrote.
Whats more, since the flaws are the result of subtle changes introduced by Ubuntu years ago, it suggests they may not be the only issues lurking in the shadows of the Linux kernel spaghetti, Wiz CTO and co-founder Ami Luttwak observes in an email to Dark Reading.
Ubuntu has patched the flaws, among several others, in
a security update
released this week. Both flaws, discovered by Tzadik and Tamari, cause OverlayFS running on Ubuntu Linux to fail to perform permission checks properly in certain situations, allowing a local attacker to
elevate privileges
on the system, according to the update.
The flaws, while separate, create similar exploitable scenarios, yet affect slightly different versions of the kernel. They both affect a feature of OverlayFS that allows the file system to be mounted by any user within a user namespace, which, in turn, enables the mapping of user and group IDs between the host and a new, separated execution environment, like in a namespace or container. This ensures user isolation and privilege separation in Linux-based cloud deployments.
When a low-privileged Linux user enters a new user namespace, they are automatically granted all Linux capabilities within that namespace, the researchers wrote. These capabilities empower them to perform some administrative-like operations, such as mounting a set of filesystems.
Exploiting the flaws allow the creation of specialized executables that, when executed, grant the ability to escalate privileges to root on the affected machine. An attacker can then exploit a Linux feature — only available to a root user — called file capabilities that grant elevated privileges to executables while theyre executed.
We discovered that its possible to craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges, the researchers wrote.
The vulnerabilities highlight a common issue for Linux, which has remained open source even as its distribution base has grown exponentially, thus making it
a bigger target
for threat actors, particularly across cloud environments. In fact, the versions of Ubuntu impacted by the flaws are prevalent in the cloud, as they serve as the default OSes for multiple
cloud service providers
(CSPs), the researchers said.
While open source certainly has its advantages, it also comes with challenges. In this case, since developers have free rein to update the OS code base to suit the particular needs of a deployment, it creates conflict with the Linux kernel thats maintained as the standard, the researchers noted.
This shows the complex relationship between
Linux kernel
and distro versions, when both are updating the kernel for different use cases, they wrote. This complexity introduces … hard-to-predict risks.
Wiz recommends that security teams of affected Ubuntu-based cloud environments immediately patch workloads affected by the flaws to mitigate risks. They also can apply a simpler mitigation — that is, restricting OverlayFS to root users only, Raaz Herzberg, head of product, tells Dark Reading.
He advises administrators to refer to Ubuntus security advisory on each the flaws — and follow steps for mitigation found there. Those instructions can be found
here
for CVE-2023-32629 and
here
for CVE-2023-2640.
Overall, administrators of cloud environments should keep all software running in container-based environments up-to-date to mitigate known vulnerabilities, and ensure they have visibility into all of their software assets across the entire cloud to
stay on top of patching
, Herzberg advises.
They also should limit Internet exposure only to the assets that absolutely need it to perform their essential functions and enforce strict permissions across the environment to limit the attack surface, he adds.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ubuntu Linux Cloud Workloads Face Rampant Root Take Takeovers