cbcvebase.
CVE-2021-3493
published 2021-04-17

CVE-2021-3493: The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-11-10
Exploited in the wild
EPSS
43.99%
98.6th percentile
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux< 18.0418.04
canonicalubuntu_linux< 20.1020.10
canonicalubuntu_linux>= 18.04.1 < 20.0420.04
debianlinux< linux 5.10.38-1 (bookworm)linux 5.10.38-1 (bookworm)
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 4.4.0-210.2424.4.0-210.242
linuxlinux_kernel>= 0 < 4.4.0-209.2414.4.0-209.241
linuxlinux_kernel>= 0 < 4.15.0-142.1464.15.0-142.146
linuxlinux_kernel>= 0 < 5.4.0-72.805.4.0-72.80
linuxlinux_kernel>= 0 < 4.4.0-209.2414.4.0-209.241
linuxlinux_kernel>= 0 < 4.15.0-142.1464.15.0-142.146
linuxlinux_kernel>= 0 < 5.4.0-72.805.4.0-72.80
ubuntulinux_kernel>= 4.15 kernel < 4.15.0-142.1464.15.0-142.146
ubuntulinux_kernel>= 4.4 kernel < 4.4.0-209.2414.4.0-209.241
ubuntulinux_kernel>= 5.4 kernel < 5.4.0-72.805.4.0-72.80
ubuntulinux_kernel>= 5.8 kernel < 5.8.0-50.565.8.0-50.56

Detection & IOCsextracted from sources · hover to see the quote

pathmodules/exploits/linux/local/cve_2021_3493_overlayfs.rb
  • Monitor for unprivileged user namespace creation combined with overlayfs mount attempts, which is the prerequisite condition for exploiting this vulnerability.
  • Detect calls to vfs_setxattr / ovl_do_setxattr from unprivileged processes setting file capabilities (xattrs) on overlayfs-mounted files, bypassing cap_convert_nscap verification.
  • Alert on writing setuid capabilities to a file via overlayfs upper directory, which is the exploitation primitive used to achieve root access.
  • Monitor for local privilege escalation via overlayfs on Ubuntu kernels; the exploit is delivered as a local exploit module targeting Linux systems.
  • ·This vulnerability is Ubuntu-specific; all Red Hat Enterprise Linux versions (5, 6, 7, 8, 9) are listed as Not Affected because they do not carry the Ubuntu patch enabling unprivileged overlay mounts.
  • ·The vulnerability requires the Ubuntu-specific kernel patch that allows unprivileged overlay mounts; without that patch the overlayfs capability bypass is not reachable by an unprivileged user.
  • ·The GameOver(lay) module (gameoverlay_privesc.rb) targets a related but distinct code path introduced as a mitigation for CVE-2021-3493, where __vfs_setxattr_noperm is called without the intermediate safety function vfs_setxattr.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck8.8HIGH
cisa7.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.