To the UCB-Security community,
This is a notice from the Information Security Office to alert you to a critical vulnerability that impacts Linux systems running unpatched kernels after 4.14[1]. Please share this alert internally with IT admins and service owners who run Linux so they are prepared to take action when patches become available.
This is a preliminary announcement. More information will follow when we have it.
SUMMARY
ISO is aware of a critical vulnerability that affects Linux systems running unpatched kernels above version 4.14[1][2]. This vulnerability, called Copy Fail by the researcher[3], is a logic flaw that allows any local user on the system to write to any readable file on the system, allowing the local user to escalate their privileges to root. This vulnerability also acts as a container escape on container systems running software such as Kubernetes, Docker, and CI runners.
IMPACT
A local logged-in user can run a single command and gain root access to the system, including breaking out of a container.
WHAT IS VULNERABLE
All versions of Linux running kernel versions between 4.14.* and 6.18.22, all versions of Linux running the 6.19 kernel before 6.19.12.
RECOMMENDATIONS
-
Upgrade your distribution’s kernel package to one that includes the fixes (6.18.22 or greater, 6.19.12 or greater, or 7.0 or greater).
MITIGATION
Ensuring that local users can not log in to the system unless they are system administrators will temporarily reduce the attack surface.
If you are unable to follow the above recommendations immediately, then as a temporary workaround, you can mitigate the issue by disabling the algif_aead module[3] except on RHEL 9, where it is a built-in module:
rmmod algif_aead
REFERENCES
If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.