DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2023-2640: CVE-2023-2640: Local Privilege Escalation in Ubuntu Kernel OverlayFS (GameOver(lay))

#security #cve #cybersecurity

CVE-2023-2640: Local Privilege Escalation in Ubuntu Kernel OverlayFS (GameOver(lay))

Vulnerability ID: CVE-2023-2640
CVSS Score: 7.8
Published: 2023-07-26

CVE-2023-2640 is a high-severity local privilege escalation vulnerability located in the OverlayFS implementation of specific Ubuntu Linux kernels. The flaw exists due to an unsafe interaction between an Ubuntu-specific kernel patch and an upstream kernel modification, which effectively bypasses Virtual File System (VFS) permission checks for extended attributes. An unprivileged local attacker can exploit this condition to assign root-level capabilities to arbitrary executables, achieving full system compromise.

TL;DR

A misconfiguration between Ubuntu kernel patches and upstream OverlayFS changes allows local attackers to bypass security checks and escalate to root privileges by copying files with malicious capabilities.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Local
  • CVSS v3.1: 7.8
  • EPSS Score: 0.91524
  • Impact: Privilege Escalation (Root)
  • Exploit Status: Weaponized
  • CISA KEV: No

Affected Systems

  • Ubuntu 23.04 (Lunar Lobster)
  • Ubuntu 22.04 LTS (Jammy Jellyfish)
  • Ubuntu 20.04 LTS (Focal Fossa)
  • Ubuntu 23.04 (Lunar Lobster): < 6.2.0-26.26 (Fixed in: 6.2.0-26.26)
  • Ubuntu 22.04 LTS (Jammy Jellyfish): < 5.19.0-50.50 (Fixed in: 5.19.0-50.50)
  • Ubuntu 20.04 LTS (Focal Fossa): < 5.4.0-155.172 (Fixed in: 5.4.0-155.172)

Exploit Details

  • GitHub: GameOver(lay) LPE exploit by g1vi
  • GitHub: ThrynSec Bash One-Liner PoC

Mitigation Strategies

  • Apply vendor-provided kernel updates requiring system reboot
  • Disable unprivileged user namespaces via sysctl
  • Implement endpoint monitoring for suspicious namespace creation and OverlayFS mounts

Remediation Steps:

  1. Identify all hosts running vulnerable Ubuntu kernel branches (5.4.x, 5.19.x, 6.2.x).
  2. Execute standard package update procedures (e.g., apt-get update && apt-get upgrade linux-image-generic).
  3. Schedule and execute mandatory system reboots to load the new kernel.
  4. If patching is delayed, apply the interim sysctl workaround (echo kernel.unprivileged_userns_clone=0 | tee /etc/sysctl.d/99-disable-unpriv-userns.conf && sysctl -p /etc/sysctl.d/99-disable-unpriv-userns.conf).

References

Read the full report for CVE-2023-2640 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)