CVE-2023-32629

Summary

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

Affected Software

VendorProductVersion RangeStatus
CanonicalUbuntu Kernel0 < 6.2.0-26.26unaffected
CanonicalUbuntu Kernel0 < 6.0.0-1020.20unaffected
CanonicalUbuntu Kernel0 < 5.4.0-155.172unaffected

Weaknesses

  • CWE-863: CWE-863

Workarounds

If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 |
sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References