HIGH CISA KEV
overlayfs CopyUp Privilege Bypass
CVE-2023-0386
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
02KernelScan AI Analysis
Risk summary
A local user could escalate privileges by copying executable files with capabilities from nosuid mounts through OverlayFS, bypassing intended security restrictions due to improper uid/gid mapping validation during copy-up operations.
Vulnerability analysis
Root Cause: OverlayFS copy-up operation failed to validate that the source file's uid/gid have valid mappings in the mounter's user namespace. When copying a file with capabilities from a nosuid mount to another mount, the system would allow the copy even when the uid/gid couldn't be properly mapped, potentially allowing privilege escalation.
Attack Surface: Local attack requiring unprivileged user access. The attacker needs the ability to create OverlayFS mounts and copy files between different mount points with different nosuid settings. No network access or special hardware is required.
Fix Mechanism: The patch adds validation checks using kuid_has_mapping() and kgid_has_mapping() to ensure that both the uid and gid of the source file have valid mappings in the current user namespace before allowing the copy-up operation. If either mapping is invalid, the operation fails with -EOVERFLOW.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| mainline | 6.2 | 4f11ada10d0a |