Ubuntu Kernel Module Found With GameOver(lay) Vulnerabilities

Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks.

Cloud security company Wiz, announced the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users.

Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified file system.

A brief description of the two flaws is below –

  • CVE-2023-2640 – On Ubuntu kernels carrying both c914c0e27eb0 and “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs,” an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
  • CVE-2023-32629 – Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

In a nutshell, GameOver(lay) makes it possible to “craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges.”

The following Ubuntu versions are impacted by CVE-2023-2640 and CVE-2023-32629:

  • Ubuntu 23.04 (Lunar Lobster) — v6.2.0
  • Ubuntu 22.10 (Kinetic Kudu) — v5.19.0
  • Ubuntu 22.04 LTS (Jammy Jellyfish) — v5.19.0, v6.2.0

The following Ubuntu versions are impacted by CVE-2023-32629 only:

  • Ubuntu 20.04 LTS (Focal Fossa) — v5.4.0
  • Ubuntu 18.04 LTS (Bionic Beaver) — v5.4.0

Following responsible disclosure, the vulnerabilities have been fixed by Ubuntu as of July 24, 2023.

“Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module,” the researchers said, adding the issues are comparable to other vulnerabilities such as CVE-2016-1576, CVE-2021-3493, CVE-2021-3847, and CVE-2023-0386.

Customers with a Customer Support Agreement in effect or using Jupiter Zone Managed Services , will be informed by our team as soon as the security patches have been applied to their infrastructure or Servers.

Customers that are not covered with a Support Agreement or using Managed Services are able to open a Support Ticket for further instructions. Our team is available to help you apply security patches to your Linux Ubuntu Servers.

To patch your Ubuntu instance, refer to Ubuntu’s security update notice .