[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2020-16120 - incorrect unprivileged overlayfs permission checking
From:       Jordan Glover <Golden_Miller83 () protonmail ! ch>
Date:       2020-10-14 13:14:31
Message-ID: oxqCR3d1ydEMwuGW3PBgnpgk9XUJjoqNeS5JCk7dcaEaQGJyq7TxVPJk2fWAgk9Bjd4MfdLDr_CHRPBTeJv9kRZPOV4X2b0HAALr17Vy5Wo= () protonmail ! ch
[Download RAW message or body]

On Tuesday, October 13, 2020 5:10 PM, Steve Beattie <steve.beattie@canonical.com> wrote:

> Hello,
> 
> CVE-2020-16120 - incorrect unprivileged overlayfs permission checking
> 
> Giuseppe Scrivano discovered that overlayfs did not properly perform
> permission checking when copying up files in an overlayfs, and can be
> exploited from within a user namespace, if, for example, unprivileged
> user namespaces are allowed.
> 
> An attacker can abuse this to get read access to files on the system
> that they would not normally be permitted to access.
> 
> This likely only has an impact on Ubuntu kernels, where unprivileged
> user namespaces are enabled by default.

AFAIK unpriv user ns are enabled by default on vast majority of distros nowadays with debian \
(rhel?) being an exception (although this is going to change at some point[1]). I think what \
makes ubuntu different is unpriv overlayfs which doesn't exist upstream thus in most other \
distros.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446

> 
> The following upstream commits address the issue:
> 
> 48bd024b8a40d73ad6b086de2615738da0c7004f ("ovl: switch to mounter creds in readdir")
> 56230d956739b9cb1cbde439d76227d77979a04d ("ovl: verify permissions in ovl_path_open()")
> 05acefb4872dae89e772729efb194af754c877e8 ("ovl: check permission to open real file")
> 
> The following commits also may be desired or necessary:
> 
> 130fdbc3d1f9966dd4230709c30f3768bccd3065 ("ovl: pass correct flags for opening real \
> directory") 292f902a40c11f043a5ca1305a114da0e523eaa3 ("ovl: call secutiry hook in \
> ovl_real_ioctl()") 
> Mitigation on systems where unprivileged user namespaces are enabled
> but not needed is to set the kernel.unprivileged_userns_clone sysctl
> to 0. e.g.:
> 
> $ sudo sysctl kernel.unprivileged_userns_clone=0
> 
> and across reboots by adding a file in /etc/sysctl.d/ that contains:
> 
> kernel.unprivileged_userns_clone=0

This will only work with out-of-tree patch included in distro kernel.

> 
> Thanks.
> 
> 
> 
> Steve Beattie
> sbeattie@ubuntu.com


[prev in list] [next in list] [prev in thread] [next in thread]