Bug 2159505 (CVE-2023-0386)

Summary: CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, arachman, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fandrieu, fhrbata, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, kyoshida, ldoskova, lgoncalv, lleshchi, lveyde, lzampier, michal.skrivanek, mperina, nmurray, noteminnow, ptalbert, qguo, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, victoriadams, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 6.2-rc6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2165337, 2165338, 2165339, 2165340, 2165341, 2165342, 2165343, 2165344, 2165345, 2165346, 2165347, 2165348, 2165349, 2165350, 2165351, 2165352, 2165353, 2165354, 2165356, 2165357, 2165358, 2165359, 2165360, 2165361, 2165362, 2165368, 2180765    
Bug Blocks: 2158952    

Description Alex 2023-01-09 19:50:46 UTC 
An attacker with a low-privileged user on a Linux machine with an overlay mount which has a file capability in one of its layers may escalate his privileges up to root when copying a capable file from a nosuid mount into another mount. This vulnerability is similar to the CVE-2021-3847, but requires less permissions to run, so higher priority. The steps to reproduce:

1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable.
2. unshare user/mount namespaces
3. mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`. 
4. touch the file at the merged path to update its mtime, which will trigger a copy-up of the file
5. the setuid/gid bitsare not cleared by the kernel, so the upper directory will contain a copy of the binary with the setuid bits.
6. run the binary from the upper dir and it will run as root

The previous CVE-2021-3847 involves file capabilities (xattrs). Xattrs have special rules with user namespaces, so the copied up file will not have capabilities that are valid on the host. The "new" bug makes use of setgid/setuid bits, which are not user-namespace specific. CVE-2021-3847 also specifically talks about USB mounts, which requires physical access and is disabled in most production environments. FUSE on the other hand does not require physical access, and is installed in many production environments (Ubuntu out of the box, RH/Fedora if any number of popular packages are installed).

To recap: the existing reproducer (POC) for this one escalates privileges to root if FUSE is installed on the system, and if unprivileged overlayfs mounts are allowed (i.e., any kernel 5.11+ with unprivileged user namespaces enabled).

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a

Reference for the previous similar CVE-2021-3847:
https://www.openwall.com/lists/oss-security/2021/10/14/3
Comment 18 Alex 2023-03-22 08:41:59 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2180765]
Comment 20 Justin M. Forbes 2023-03-24 16:25:58 UTC 
This was fixed for Fedora with the 6.1.9 stable kernel updates.
Comment 23 errata-xmlrpc 2023-04-04 06:53:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1554 https://access.redhat.com/errata/RHSA-2023:1554
Comment 24 errata-xmlrpc 2023-04-04 09:05:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584
Comment 25 errata-xmlrpc 2023-04-04 09:21:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566
Comment 26 errata-xmlrpc 2023-04-05 13:43:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
Comment 27 errata-xmlrpc 2023-04-05 14:05:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659
Comment 28 errata-xmlrpc 2023-04-10 01:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:1677 https://access.redhat.com/errata/RHSA-2023:1677
Comment 29 errata-xmlrpc 2023-04-10 13:34:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1681 https://access.redhat.com/errata/RHSA-2023:1681
Comment 30 errata-xmlrpc 2023-04-11 14:23:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1691 https://access.redhat.com/errata/RHSA-2023:1691
Comment 31 errata-xmlrpc 2023-04-11 14:26:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1703 https://access.redhat.com/errata/RHSA-2023:1703
Comment 35 errata-xmlrpc 2023-04-25 10:21:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1980 https://access.redhat.com/errata/RHSA-2023:1980
Comment 36 errata-xmlrpc 2023-04-25 10:22:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1984 https://access.redhat.com/errata/RHSA-2023:1984
Comment 37 errata-xmlrpc 2023-04-25 10:24:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1970 https://access.redhat.com/errata/RHSA-2023:1970
Comment 49 Stefanie Norton 2023-11-08 14:21:30 UTC 
I also have a headache when this problem often appears when I play games https://dinosaurgames.io
Comment 50 victoriadams 2024-03-11 01:17:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support
  https://drift-boss.pro

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660