As you may have noticed, a rather serious Ubuntu privilege escalation exploit has been disclosed today:

CVE-2015-1328: incorrect permission checks in overlayfs, ubuntu local root

The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].

At the time of writing, there is no patch available.

However, there is a quick work-around for the issue (run as root):

modprobe -r overlayfs  
echo "blacklist overlayfs" > /etc/modprobe.d/blacklist-overlayfs.conf

What the above does:

  • remove the overlayfs module from memory, if currently loaded
  • blacklist the overlayfs module from being loaded at boot

Possible GOTCHA: the overlayfs module can be called just overlay in previous versions of Ubuntu.

You can check what is the correct name with:

modinfo overlay  
modinfo overlayfs

One of these will show the module information, and one will say “module not found”.

To confirm that you are not affected, try the following (run as a normal user):

curl -o cve-2015-1238.c  
gcc cve-2015-1238.c -o cve-2015-1238  

And you should see the following output if you are safe

$ ./cve-2015-1238
spawning threads  
mount #1  
no FS_USERNS_MOUNT for overlayfs on this kernel  
child threads done  
exploit failed

If you are not safe, you will get a root shell (#)