An attacker with a low-privileged user on a Linux machine with an overlay mount which has a file capability in one of its layers may escalate his privileges up to root when copying a capable file from a nosuid mount into another mount. This vulnerability is similar to the CVE-2021-3847, but requires less permissions to run, so higher priority. The steps to reproduce: 1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable. 2. unshare user/mount namespaces 3. mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`. 4. touch the file at the merged path to update its mtime, which will trigger a copy-up of the file 5. the setuid/gid bitsare not cleared by the kernel, so the upper directory will contain a copy of the binary with the setuid bits. 6. run the binary from the upper dir and it will run as root The previous CVE-2021-3847 involves file capabilities (xattrs). Xattrs have special rules with user namespaces, so the copied up file will not have capabilities that are valid on the host. The "new" bug makes use of setgid/setuid bits, which are not user-namespace specific. CVE-2021-3847 also specifically talks about USB mounts, which requires physical access and is disabled in most production environments. FUSE on the other hand does not require physical access, and is installed in many production environments (Ubuntu out of the box, RH/Fedora if any number of popular packages are installed). To recap: the existing reproducer (POC) for this one escalates privileges to root if FUSE is installed on the system, and if unprivileged overlayfs mounts are allowed (i.e., any kernel 5.11+ with unprivileged user namespaces enabled). References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Reference for the previous similar CVE-2021-3847: https://www.openwall.com/lists/oss-security/2021/10/14/3
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2180765]
This was fixed for Fedora with the 6.1.9 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1554 https://access.redhat.com/errata/RHSA-2023:1554
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:1677 https://access.redhat.com/errata/RHSA-2023:1677
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1681 https://access.redhat.com/errata/RHSA-2023:1681
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1691 https://access.redhat.com/errata/RHSA-2023:1691
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1703 https://access.redhat.com/errata/RHSA-2023:1703
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1980 https://access.redhat.com/errata/RHSA-2023:1980
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1984 https://access.redhat.com/errata/RHSA-2023:1984
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1970 https://access.redhat.com/errata/RHSA-2023:1970
I also have a headache when this problem often appears when I play games https://dinosaurgames.io
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support https://drift-boss.pro Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support https://emp3juice.blog/ - https://tubidy.diy/ - https://y2mate.diy/ Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
This comment was flagged a spam, view the edit history to see the original text if required.
The vulnerability you've described, CVE-2023-0386, is a significant security issue in the Linux kernel's handling of the OverlayFS subsystem, specifically involving FUSE (Filesystem in Userspace) and setuid/setgid binaries. This flaw allows a local, low-privileged user to escalate their privileges to root under certain conditions, posing a serious risk in environments where FUSE and unprivileged user namespaces are in use. References: The commit fixing the vulnerability in the Linux kernel: https://dinosaur-game.io https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Discussion on CVE-2021-3847 for context: https://www.openwall.com/lists/oss-security/2021/10/14/3
I want to reduce spam score of my domain https://iterasacucarti.com/terasa-cu-carti-ro/
The FUSE filesystem in the Linux kernel had a vulnerability that could potentially allow local privilege escalation. This flaw enables a low-privileged user to gain elevated privileges through the manipulation of FUSE mounts. https://geometrydash-3d.com - https://tubidy.diy/ - https://y2mate.diy/ Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660