You might have read that a new critical Ubuntu overlayfs vulnerability was discovered and registered under CVE-2021-3493 in mid-April 2021. This article covers not only information about the Ubuntu overlayfs vulnerability. It covers how to find the vulnerable host and how to fix the new Ubuntu overlayfs vulnerability (CVE-2021-3493) found on a vulnerable host.
An independent researcher reported this vulnerability in the early days of April 2021.
On 12th April 2021, the vulnerability was registered in National Vulnerability Database (NVD) under CVE-2021-3493.
Ubuntu published this vulnerability with security advisories on 15th April 2021.
This is a new critical vulnerability that actually is not on the operating system, but it exists on the kernel of the operating system. The vulnerability is due to the overlayfs implementation in the Linux kernel, which did not properly validate the application of file system capabilities with respect to use namespaces. A local user can use this Ubuntu overlayfs vulnerability to gain root privileges without authentication.
This is a Ubuntu-specific vulnerability. This could be seen on some Debian distros too. Other popular Linux distributions: RedHat and Suse confirmed that the vulnerability doesn’t exist on their distros. Few reference links are shared here below.
Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM
Linux supports file capabilities stored in extended file attributes that work similarly to setuid-bit but can be more fine-grained. A simplified procedure for setting file capabilities in pseudo-code looks like this:
setxattr(…):
if cap_convert_nscap(…) is not OK:
then fail
vfs_setxattr(…)
The important call is cap_convert_nscap, which checks permissions with respect to namespaces.
If we set the file capabilities from our own namespace and on our own mount, there is no problem, and we have permission to do so. The problem is that when OverlayFS forwards this operation to the underlying file system, it only calls vfs_setxattr and skips checks in cap_convert_nscap.
This allows setting arbitrary capabilities on files in the outer namespace/mount, where they will also be applied during execution.
In Linux 5.11, the call to cap_convert_nscap was moved into vfs_setxattr, so it is no more vulnerable.
Check the version of the kernel running on your Ubuntu server. Open the terminal and issue this command to check the version of Ubuntu:
$ cat /etc/os-release
in our case, we are running 20.04 LTS which is vulnerable to Ubuntu overlayfs vulnerability (CVE-2021-3493)
2. The exploit is available to the public in GitHub. Download the exploit and execute. We have downloaded the exploit on the desktop for demonstration purposes.
Optional: You can verify the user with ‘whoami‘ command. In this case we are log in to a normal user account.
Change the directory to Desktop.
$ cd Desktop/CVE-2021-3493-main/
Set executable permission for ‘exploit.c‘ using ‘chmod’ command:Enter the root password to execute the command.
$ sudo chmod +x exploit.c
First compel the ‘exploit.c’ file and store the compelled file to ‘execure.out‘ using a gcc compiler.
$ gcc exploit.c -o exploit
As soon as you execute the compelled file. You will see root command prompt without authentication.
This is how you can test the new Ubuntu overlayfs vulnerability (CVE-2021-3493) on the host.
Gcc compiler is mandatory to have because the exploit is written in C language. Install the gcc compiler if not been installed on the host.
$ sudo apt install gcc
In our case, we have the latest gcc package installed on our machine.
Ubuntu has issued the security advisory to fix this vulnerability. In this security advisory Ubuntu has fixed two vulnerabilities.
https://launchpad.net/ubuntu/+source/linux-oem-5.6
Before we start fixing the issue, update your repositories with this command:
$ sudo apt update
Enter root password to proceed.
Install the ‘linux-image-5.6.0-1055-oem’ kernel package.
$ sudo apt install linux-image-5.6.0-1055-oem
Enter root password and hit ‘y’ to continue the installation process.
After the completion of the installation. Reboot the system and let the system to boot with new kernel.
$ sudo reboot
Launch terminal after the system reboot. To our surprise we saw a different and latest version of kernel on my system. When we tried exploiting the system as we did earlier. I didn’t get the root command prompt this time. You can see this below.
This is how you can fix the new Ubuntu overlayfs vulnerability (CVE-2021-3493) on the host.
Thanks for supporting our work. Please check in thesecmaster.com for more such tutorials.
You may also like these articles:
How To Fix CVE-2022-0492- Privilege Escalation And Container Escape Vulnerabilities In Cgroups
How To Fix The Dirty Pipe Vulnerability In Linux Kernel- CVE-2022-0847
How To Fix CVE-2021-44731 (Oh Snap!)- A Privilege Escalation Vulnerability In Snap Package Manager
How to Fix CVE-2022-25636- A Heap Out Of Bounds Write Vulnerability In Netfilter
Step By Step Procedure To Fix The Plokit Vulnerability (CVE-2021-3560)
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.