#VU78673 Permissions, Privileges, and Access Controls in linux-image-6.2.0-1006-ibm (Ubuntu package) - CVE-2023-2640
Published: July 26, 2023 / Updated: December 18, 2024
Vulnerability identifier: #VU78673
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2023-2640
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vulnerable software:
linux-image-6.2.0-1006-ibm (Ubuntu package)
linux-image-6.2.0-1006-ibm (Ubuntu package)
Software vendor:
Canonical Ltd.
Canonical Ltd.
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to missing permission checks for trusted.overlayfs.* xattrs". A local user can set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
Remediation
Install updates from vendor's website.