7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
12.0%
The overlayfs implementation in the Linux kernel through 4.5.2 does not
properly restrict the mount namespace, which allows local users to gain
privileges by mounting an overlayfs filesystem on top of a FUSE filesystem,
and then executing a crafted setuid program.
Author | Note |
---|---|
jdstrand | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support |
sbeattie | precise does not allow unprivileged user namespaces, which is what lets an unprivileged user exploit this vulnerability; however, the issue of copying up setuid attributes still exists in the overlayfs codebase here, but it is a much lower priority to fix (needs root/CAP_SYS_ADMIN to exploit). |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | linux | < 3.13.0-79.123 | UNKNOWN |
ubuntu | 15.04 | noarch | linux | < 3.19.0-51.57 | UNKNOWN |
ubuntu | 15.10 | noarch | linux | < 4.2.0-30.35 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-trusty | < 3.13.0-79.123~precise1 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-lts-utopic | < 3.16.0-62.82~14.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-lts-vivid | < 3.19.0-51.57~14.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-lts-wily | < 4.2.0-30.35~14.04.1 | UNKNOWN |
ubuntu | 15.10 | noarch | linux-raspi2 | < 4.2.0-1025.32 | UNKNOWN |
www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/trusty/commit/?id=ce550fb847b34553e63ee95386de59a1096fbfc4
git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/trusty/commit/?id=d77014a9527a4544797b9f1f2026b8e9fe032355
launchpad.net/bugs/cve/CVE-2016-1576
nvd.nist.gov/vuln/detail/CVE-2016-1576
security-tracker.debian.org/tracker/CVE-2016-1576
ubuntu.com/security/notices/USN-2907-1
ubuntu.com/security/notices/USN-2907-2
ubuntu.com/security/notices/USN-2908-1
ubuntu.com/security/notices/USN-2908-2
ubuntu.com/security/notices/USN-2908-3
ubuntu.com/security/notices/USN-2909-1
ubuntu.com/security/notices/USN-2910-1
www.cve.org/CVERecord?id=CVE-2016-1576
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
12.0%