CVE-2023-0386
📋 TL;DR
This Linux kernel vulnerability allows local users to escalate privileges by exploiting a uid mapping bug in OverlayFS when copying capable files between mounts. Attackers can gain root access on affected systems. All Linux systems using vulnerable kernel versions with OverlayFS are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user escalates to root privileges, potentially installing malware, accessing sensitive data, or modifying system configurations.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems, but privilege escalation still enables significant damage.
🎯 Exploit Status
Exploit requires local access and knowledge of OverlayFS operations. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 6.2-rc1 and later
Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
Restart Required: Yes
Instructions:
1. Update kernel to version 6.2-rc1 or later. 2. Apply distribution-specific patches if available. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable OverlayFS
linuxPrevent OverlayFS usage to eliminate attack vector
modprobe -r overlay
echo 'blacklist overlay' >> /etc/modprobe.d/blacklist.conf
Restrict mount operations
linuxLimit mount capabilities to prevent file copying between mounts
sysctl -w fs.mount-restrict=1
echo 'fs.mount-restrict = 1' >> /etc/sysctl.conf
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Monitor for suspicious mount operations and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and compare to affected versions. Verify OverlayFS is loaded with 'lsmod | grep overlay'.Check Version:
uname -rVerify Fix Applied:
Confirm kernel version is 6.2-rc1 or later with 'uname -r'. Verify patch is applied by checking for commit 4f11ada10d0a.📡 Detection & Monitoring
Log Indicators:
- Unusual mount operations in /var/log/syslog
- Privilege escalation attempts in audit logs
- Suspicious OverlayFS activity
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
source="kernel" AND ("overlay" OR "mount" OR "setuid") AND ("privilege" OR "escalation")🔗 References
- http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
- https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://security.netapp.com/advisory/ntap-20230420-0004/
- https://www.debian.org/security/2023/dsa-5402
- http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
- https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://security.netapp.com/advisory/ntap-20230420-0004/
- https://www.debian.org/security/2023/dsa-5402
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386
