CVE-2023-0386:Privilege Escalation Vulnerability in Linux Kernel's OverlayFS Subsystem (CVE-2023-0386)

splash
Back

Description Preview

CVE-2023-0386 is a critical vulnerability in the Linux kernel's OverlayFS subsystem that allows local users to gain unauthorized access to the execution of setuid files with capabilities. The vulnerability stems from a uid mapping bug that occurs when a user copies a capable file from a nosuid mount into another mount. This flaw can be exploited by local attackers to escalate their privileges on the affected system, potentially gaining root access.

Overview

The vulnerability exists in the OverlayFS subsystem of the Linux kernel. OverlayFS is a type of union filesystem that allows overlaying one filesystem on top of another. The specific issue involves how the kernel handles the copying of files with capabilities from nosuid mounts to other mounts. When a user copies a capable file from a nosuid mount to another mount, the uid mapping is incorrectly handled, allowing the preservation of capabilities that should be dropped. This improper permission management (CWE-282) enables local users to execute setuid files with elevated privileges, effectively bypassing security restrictions intended to prevent privilege escalation.

Remediation

To mitigate this vulnerability, system administrators should:

  1. Update the Linux kernel to a patched version. The fix has been committed to the mainline Linux kernel (commit 4f11ada10d0a).

  2. For specific distributions:

    • Debian users should apply the security updates referenced in DSA-5402 for standard Debian or DLA 3446-1/DLA 3840-1 for Debian LTS.
    • Other Linux distributions should apply their respective vendor-provided security patches.

  3. If immediate patching is not possible, consider implementing additional access controls to restrict local user access to sensitive file systems and monitor for suspicious file operations involving setuid files.

  4. After patching, restart the system to ensure the updated kernel is in use.

References

  1. Linux Kernel Fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
  2. Debian Security Advisory: https://www.debian.org/security/2023/dsa-5402
  3. Debian LTS Announcement: https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html
  4. Debian LTS Announcement (2024): https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  5. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20230420-0004/
  6. Kernel Live Patch Security Notice: http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Mar 22, 2023
CISA KEV Date
Jun 17, 2025
818days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Medium
    Public Administration
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  6. Transportation & Warehousing: Low
    Transportation & Warehousing
  7. Retail Trade: Low
    Retail Trade
  8. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  9. Educational Services: Low
    Educational Services
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  12. Utilities: Low
    Utilities
  13. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  14. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  15. Accommodation & Food Services: Low
    Accommodation & Food Services
  16. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  17. Construction: Low
    Construction
  18. Information: Low
    Information
  19. Mining: Low
    Mining
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background