CISA Warns of Attackers Exploiting Linux Flaw with PoC Exploit

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to U.S. federal agencies about malicious attackers targeting a high-severity vulnerability in the Linux kernel’s OverlayFS subsystem, leveraging a proof of concept (PoC) exploit to gain root privileges.

Description of the Vulnerability

Identified as CVE-2021-3493, this vulnerability resides in the OverlayFS layer, a union filesystem that combines multiple folders into a single, logical filesystem.

The root cause is a race condition between copyup and rename operations that could lead to file permission modifications, thus providing attackers with unauthorized access.

Exploiting this flaw lets attackers escalate privileges to root on a vulnerable system, provided they have already gained initial low-level system access.

An out-of-bounds (OOB) write that is triggered during the exploitation of the flaw can result in data corruption or a system crash.

PoC Exploit in Circulation

A concerning development is the recent publication of a PoC exploit, which increases the risk factor associated with this vulnerability.

It introduces the possibility of broader exploitation, particularly by less sophisticated threat actors or part of automated attack toolkits.

Recommendations and Mitigations

CISA recommends affected U.S. federal agencies to promptly apply the security patches released by Linux distributions, such as Canonical’s Ubuntu security notice USN-4915-1 and USN-4915-2 for Ubuntu 20.10 (Groovy Gorilla), 20.04 LTS (Focal Fossa), and 18.04 LTS (Bionic Beaver).

Until patches can be applied, temporary mitigation measures can be enforced, such as restricting access to sensitive systems, monitoring network traffic for unusual activities or well-known patterns associated with this exploit, and implementing strict access controls.

The agency also encourages organizations to sign up for automatic security update features, if available, to ensure future vulnerabilities are promptly mitigated.

Real-World Cases

Up until now, CISA noted that this Linux flaw in OverlayFS subsystem was effectively exploited in the wild by sophisticated threat actors who utilized the PoC exploit as part of their attack chain.

Specific details about these attacks are currently confidential but they underline the importance of timely patching and strong security postures.

Conclusion

The recent warning from CISA is a stark reminder that no operating system is immune to vulnerabilities and attacks.

The best defense is a proactive and comprehensive security strategy that includes patch management, network monitoring, and swift response to identified security threats.

Follow-Up Reading

• CISA’s Guide on the Protection of Critical Infrastructure
• Ubuntu’s Guide on Security Upgrades
• Common Weakness Enumeration (CWE) description of Race Conditions