Bug 2159505 (CVE-2023-0386) - CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
Summary: CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
Keywords:
Status: NEW
Alias: CVE-2023-0386
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2165337 2165338 2165339 2165340 2165341 2165342 2165343 2165344 2165345 2165346 2165347 2165348 2165349 2165350 2165351 2165352 2165353 2165354 2165356 2165357 2165358 2165359 2165360 2165361 2165362 2165368 2180765
Blocks: 2158952
TreeView+ depends on / blocked
 
Reported: 2023-01-09 19:50 UTC by Alex
Modified: 2024-05-17 15:14 UTC (History)
58 users (show)

Fixed In Version: Linux kernel 6.2-rc6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1777 0 None None None 2023-04-13 14:44:47 UTC
Red Hat Product Errata RHSA-2023:1554 0 None None None 2023-04-04 06:53:20 UTC
Red Hat Product Errata RHSA-2023:1566 0 None None None 2023-04-04 09:21:37 UTC
Red Hat Product Errata RHSA-2023:1584 0 None None None 2023-04-04 09:05:18 UTC
Red Hat Product Errata RHSA-2023:1659 0 None None None 2023-04-05 14:05:49 UTC
Red Hat Product Errata RHSA-2023:1660 0 None None None 2023-04-05 13:43:08 UTC
Red Hat Product Errata RHSA-2023:1677 0 None None None 2023-04-10 01:30:25 UTC
Red Hat Product Errata RHSA-2023:1681 0 None None None 2023-04-10 13:34:39 UTC
Red Hat Product Errata RHSA-2023:1691 0 None None None 2023-04-11 14:24:03 UTC
Red Hat Product Errata RHSA-2023:1703 0 None None None 2023-04-11 14:26:10 UTC
Red Hat Product Errata RHSA-2023:1970 0 None None None 2023-04-25 10:24:52 UTC
Red Hat Product Errata RHSA-2023:1980 0 None None None 2023-04-25 10:21:18 UTC
Red Hat Product Errata RHSA-2023:1984 0 None None None 2023-04-25 10:22:35 UTC

Description Alex 2023-01-09 19:50:46 UTC
An attacker with a low-privileged user on a Linux machine with an overlay mount which has a file capability in one of its layers may escalate his privileges up to root when copying a capable file from a nosuid mount into another mount. This vulnerability is similar to the CVE-2021-3847, but requires less permissions to run, so higher priority. The steps to reproduce:

1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable.
2. unshare user/mount namespaces
3. mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`. 
4. touch the file at the merged path to update its mtime, which will trigger a copy-up of the file
5. the setuid/gid bitsare not cleared by the kernel, so the upper directory will contain a copy of the binary with the setuid bits.
6. run the binary from the upper dir and it will run as root

The previous CVE-2021-3847 involves file capabilities (xattrs). Xattrs have special rules with user namespaces, so the copied up file will not have capabilities that are valid on the host. The "new" bug makes use of setgid/setuid bits, which are not user-namespace specific. CVE-2021-3847 also specifically talks about USB mounts, which requires physical access and is disabled in most production environments. FUSE on the other hand does not require physical access, and is installed in many production environments (Ubuntu out of the box, RH/Fedora if any number of popular packages are installed).

To recap: the existing reproducer (POC) for this one escalates privileges to root if FUSE is installed on the system, and if unprivileged overlayfs mounts are allowed (i.e., any kernel 5.11+ with unprivileged user namespaces enabled).

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a

Reference for the previous similar CVE-2021-3847:
https://www.openwall.com/lists/oss-security/2021/10/14/3

Comment 18 Alex 2023-03-22 08:41:59 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2180765]

Comment 20 Justin M. Forbes 2023-03-24 16:25:58 UTC
This was fixed for Fedora with the 6.1.9 stable kernel updates.

Comment 23 errata-xmlrpc 2023-04-04 06:53:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1554 https://access.redhat.com/errata/RHSA-2023:1554

Comment 24 errata-xmlrpc 2023-04-04 09:05:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584

Comment 25 errata-xmlrpc 2023-04-04 09:21:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566

Comment 26 errata-xmlrpc 2023-04-05 13:43:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660

Comment 27 errata-xmlrpc 2023-04-05 14:05:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659

Comment 28 errata-xmlrpc 2023-04-10 01:30:23 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:1677 https://access.redhat.com/errata/RHSA-2023:1677

Comment 29 errata-xmlrpc 2023-04-10 13:34:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1681 https://access.redhat.com/errata/RHSA-2023:1681

Comment 30 errata-xmlrpc 2023-04-11 14:23:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1691 https://access.redhat.com/errata/RHSA-2023:1691

Comment 31 errata-xmlrpc 2023-04-11 14:26:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1703 https://access.redhat.com/errata/RHSA-2023:1703

Comment 35 errata-xmlrpc 2023-04-25 10:21:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1980 https://access.redhat.com/errata/RHSA-2023:1980

Comment 36 errata-xmlrpc 2023-04-25 10:22:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1984 https://access.redhat.com/errata/RHSA-2023:1984

Comment 37 errata-xmlrpc 2023-04-25 10:24:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1970 https://access.redhat.com/errata/RHSA-2023:1970

Comment 49 Stefanie Norton 2023-11-08 14:21:30 UTC
I also have a headache when this problem often appears when I play games https://dinosaurgames.io

Comment 50 victoriadams 2024-03-11 01:17:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support
  https://drift-boss.pro

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660

Comment 51 Red Rose 2024-05-17 15:14:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support
  https://emp3juice.blog/ - https://tubidy.diy/ - https://y2mate.diy/

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660


Note You need to log in before you can comment on or make changes to this bug.