[ubuntu-hardened] Overlayfs over Fuse Privilege Escalation in USERNS.
Steve Beattie
steve at nxnw.org
Tue Mar 1 21:28:56 UTC 2016
Hi danial,
On Tue, Mar 01, 2016 at 07:55:37PM +0100, daniel curtis wrote:
> I would like to ask a question about issues that could allow a local
> unprivileged attacker to gain privileges etc. Generally, I mean these two
> situations called, "Overlayfs over Fuse Privilege Escalation in USERNS",
> described e.g. here:
>
> * http://www.openwall.com/lists/oss-security/2016/02/24/7
> * http://www.openwall.com/lists/oss-security/2016/02/24/8
>
> If it is about "Trusty" or "Vivid" etc., releases, the status is: 'Fix
> Released' while for "Precise" it is: 'New' with 'Importance: Medium' (see
> Bug #1534961). There is an Ubuntu Security Notice (USN 2908-4) published on
> February 26, 2016 (more: http://lwn.net/Articles/677951/).
>
> CVE ID's: CVE-2016-1575 CVE-2016-1576.
> LP: #1534961, #1535150.
>
> Will there be available an update for the "Precise"? If yes, when?
The thing that makes these issues exploitable is that the kernel in
Ubuntu 14.04 and newer supports unprivileged user namespaces, which
allows an unprivileged user to mount overlayfs in a user namespace and
have the setuid bits and xattrs propagate outside of the namespace. In
Ubuntu 12.04's kernel, root/CAP_SYS_ADMIN is required to enter a USERNS
or mount overlayfs, so it's much more difficult to exploit this.
However, the underlying incorrect propagation of attributes is still
present in the overlayfs code, so it should still be addressed at some
point.
I've attempted to adjust the priority for precise in the CVE tracker
to low with an explanation; that should be reflected in the Ubuntu
CVE tracker within the next hour.
Thanks for the query!
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160301/324b5a18/attachment.pgp>
More information about the ubuntu-hardened
mailing list