Patch Fills Ubuntu Hole

Wednesday, June 17, 2015 @ 12:06 PM gHale

Ubuntu got a fix from Canonical to take care of a local root privilege escalation vulnerability an attacker could leverage to gain administrative privileges.

The kernel vulnerability relates to the OverlayFS Linux filesystem service and it affects the default configuration on all supported versions of Ubuntu. The case number for the vulnerability, discovered by Philip Pettersson of the Samsung SDS Security Center, is CVE-2015-1328.

Ubuntu Patches Linux Kernel Holes
Help Desk Software Needs Help
Trojan Invisible to AV
Trojan Focuses on Europe, North America

“The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces,” Pettersson said in an advisory. “This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04.”

Pettersson published a proof-of-concept (PoC) exploit to demonstrate his findings.

Canonical has addressed the issue by releasing updates for Ubuntu 12.04 LTS (Precise Pangolin), Ubuntu 14.04 LTS (Trusty Tahr), Ubuntu 14.10 (Utopic Unicorn) and Ubuntu 15.04 (Vivid Vervet). Users should update their installations as soon as possible.

Pettersson said users who don’t want to update their kernel and don’t use OverlaysFS can remove or blacklist overlayfs.ko / overlay.ko as a workaround.