--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Privilege Escalation Vulnerabilities in Ubuntu' version: '1.0' number: '2023-054' original_date: 'July 24, 2023' date: 'July 31, 2023' --- _History:_ * _31/07/2023 --- v1.0 -- Initial publication_ # Summary On the 24th of July, 2023, Ubuntu issued a fix for two local privilege escalation vulnerabilities, **CVE-2023-2640** and **CVE-2023-32629**, that were discovered in the OverlayFS module of its Linux kernel [1]. # Technical Details The two vulnerabilities are exclusive to Ubuntu because of the changes Ubuntu introduced in the OverlayFS module in 2018. These modifications did not pose any risks initially. However, they later led to an unpatched vulnerable flow in Ubuntu after the discovery and fixing of a security vulnerability in the Linux kernel in 2020 [1]. **CVE-2023-2640** is due to permission check and has a CVSS score of 7.8 out of 10. **CVE-2023-32629** is due to permission check and has a CVSS score of 7.8 out of 10. # Affected Products Based on the research [1], the following Ubuntu releases and versions are impacted: - Ubuntu 23.04 (Lunar Lobster) Version 6.2.0 - Ubuntu 22.10 (Kinetic Kudu) Version 5.19.0 - Ubuntu 22.04 LTS (Jammy Jellyfish) Versions 5.19.0 and 6.2.0 - Ubuntu 20.04 LTS (Focal Fossa) Version 5.4.0 (Only affected by CVE-2023-32629) - Ubuntu 18.04 LTS (Bionic Beaver) Version 5.4.0 (Only affected by CVE-2023-32629) This information is still being updated as more data becomes available from the official security bulletins for both CVEs [2][3]. # Recommendations CERT-EU recommends reviewing Ubuntu's security bulletins [2][3] and applying the necessary updates. # References [1] [2] [3]