CISA Warns of Active Exploitation of Critical Linux Kernel Vulnerability CVE-2023-0386
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the active exploitation of a critical Linux kernel vulnerability identified as CVE-2023-0386. This flaw, which carries a CVSS score of 7.8, is classified as a privilege escalation vulnerability within the Linux Kernel's OverlayFS subsystem. Successful exploitation could allow attackers to elevate privileges, gain unauthorized access, and execute arbitrary code with elevated permissions.
Details of the CVE-2023-0386 Flaw
CVE-2023-0386 results from improper ownership management in OverlayFS. Specifically, the vulnerability is triggered when a file with elevated capabilities is copied from a nosuid mount to another mount point. CISA noted in its alert that this flaw allows unauthorized execution of setuid files with capabilities due to flawed handling of UID and GID mapping during such operations.
Originally discovered and patched in early 2023 by Linux kernel contributor Miklos Szeredi, the vulnerability was addressed in commit ID 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 on January 27, 2023. The fix enforces stricter validation by rejecting copy-up operations when the user or group ID lacks a valid mapping within the user namespace, in line with expected behavior under POSIX ACLs.
Technical Breakdown
The flaw exists in the ovl_copy_up_one function of the OverlayFS component. Affected systems running Linux kernel versions prior to 6.2-rc6 lack adequate validation for UID and GID mappings, allowing privilege escalation. One specific edge case occurs when cp -a appears to succeed due to the default fallback UID/GID of 65534, even when a proper mapping is missing. This inconsistency can be exploited if the system remains unpatched.
The inclusion of CVE-2023-0386 in CISA’s Known Exploited Vulnerabilities catalog confirms its active use in real-world cyberattacks. Privilege escalation vulnerabilities pose a heightened risk in shared environments, such as containers and cloud infrastructure, where isolation and access control are essential.
Industry Response and NetApp Impact
Several technology vendors have responded to the threat. NetApp released an advisory (NTAP-20230420-0004) confirming the vulnerability’s impact across various product lines. The company identified multiple devices using affected kernel versions, noting potential risks such as data exposure, modification, and denial-of-service.
Impacted NetApp products include:
- HCI Baseboard Management Controllers (H300S, H500S, H700S, H410S, H410C)
- Other devices running Linux kernel versions earlier than 6.2-rc6
NetApp provided a detailed list of affected and unaffected systems in its advisory and stated that security updates would be available through its support platform. Currently, no workarounds exist, making patching the only viable mitigation.
Recommendations
CISA and security experts advise administrators to:
- Upgrade to Linux kernel version 6.2-rc6 or later to apply the official fix
- Monitor systems for signs of unusual privilege elevation, especially in multi-user and containerized environments
The vulnerability is considered low in technical complexity but high in potential impact. It requires local access but no user interaction and has been assessed as CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Organizations are urged to act quickly to reduce exposure and protect their infrastructure from ongoing threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
