7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
70.9%
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
Recent assessments:
bwatters-r7 at November 09, 2021 10:19pm UTC reported:
This vulnerability is generally believed to be present in the Ubuntu Releases from 14.04 to 20.10 LTS. There is some indication in the Debian security tracker that Debian version 10 (AKA Buster) is also vulnerable, but I have not verified this independently.
The vulnerability is based in the implementation of overlayfs inside the Ubuntu Kernel. Overlayfs sets the attributes of a process using a call to vfs_setxattr
, but the data within that call should be verified by a prior call to cap_convert_nscap
. Ubuntuโs implementation of overlayfs does not make that call for validation, and instead sends the request on to the file system without any check. This means an attacker can set their own permission levels by using overlayfs to make the request.
This vulnerability was corrected by simply adding the verification call to cap_convert_nscap
into the vfs_setxattr
function code, preventing the ability to call one without the other.
Ubuntu is ranked 6th on distrowatch right now, and is one of the more popular Linux-based operating systems. It is very likely to find an Ubuntu system in enterprise settings, and worse yet, they tend to be ad-hoc systems with little maintenance or oversight, so unlikely to be patched.
As this is a local vulnerability in the kernel itself, patching is required for mitigation. Use apt to upgrade your kernel to an unaffected version.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html
packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html
packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52
github.com/briskets/CVE-2021-3493
security-tracker.debian.org/tracker/CVE-2021-3493
ubuntu.com/security/notices/USN-4917-1
www.openwall.com/lists/oss-security/2021/04/16/1
www.thesecmaster.com/step-by-step-procedure-to-fix-the-new-ubuntu-overlayfs-vulnerability-cve-2021-3493/
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
70.9%