Two high-severity security vulnerabilities have been discovered in the Ubuntu kernel that could allow local attackers to gain elevated privileges. The vulnerabilities, which have been dubbed “GameOver(lay)”, are tracked as CVE-2023-32629 and CVE-2023-2640, and have a CVSS score of 7.8.

Description of the vulnerabilities:

The vulnerabilities are present in a module called OverlayFS, which is a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified filesystem.

CVE-2023-2640 allows an unprivileged user to set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks. CVE-2023-32629 allows a local attacker to copy an executable file with scoped file capabilities to a different location with unscoped capabilities, granting anyone who executes it root-like privileges.

Impact of the vulnerabilities:

Users of Ubuntu could be affected by these vulnerabilities to the extent of 40%. Since many cloud service providers use Ubuntu as their default operating system, the impacted versions are prevalent in the cloud.

Mitigation:

According to Ubuntu, the vulnerabilities have been fixed as of July 24, 2023. Users are advised to update their Ubuntu installations to the latest version to mitigate the risk of exploitation.

Conclusion:

The GameOver(lay) vulnerabilities are a serious security threat to Ubuntu users. Users are advised to update their installations as soon as possible to mitigate the risk of exploitation.