VDB

CVE-2020-16120

CVE-2020-16120 PUBLISHED

Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11.

EPSS 0.06% · 19.9th percentile

Risk Scores

EPSS Score
0.06%
19.9th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:FIPS:16.04:LTSlinux-fips4.4.0-1057.63, 4.4.0-1044.49, 4.4.0-1045.50
Ubuntu:18.04:LTSlinux-aws-5.05.0.0-1024.27~18.04.1, 5.0.0-1025.28, 5.0.0-1021.24~18.04.1
Ubuntu:20.04:LTSlinux-aws5.3.0-1009.10, 5.4.0-1008.8, 5.4.0-1007.7
Ubuntu:Pro:FIPS:20.04:LTSlinux-azure-fips0, 5.4.0-1022.22+fips1
Ubuntu:18.04:LTSlinux-gcp-5.35.3.0-1008.9~18.04.1, 5.3.0-1009.10~18.04.1, 5.3.0-1012.13~18.04.1
Ubuntu:18.04:LTSlinux-gcp-5.45.4.0-1024.24~18.04.1, *, 5.4.0-1025.25~18.04.1
Ubuntu:18.04:LTSlinux-raspi2-5.35.3.0-1018.20~18.04.1, 5.3.0-1017.19~18.04.1, 0
Ubuntu:18.04:LTSlinux-gke-5.35.3.0-1026.28~18.04.1, 0, 5.3.0-1020.22~18.04.1
Ubuntu:Pro:16.04:LTSlinux4.4.0-243.277, 0, 4.2.0-16.19
Ubuntu:20.04:LTSlinux-riscv5.4.0-24.28, 0, 5.4.0-27.31
Ubuntu:Pro:16.04:LTSlinux-aws4.4.0-1155.170, 4.4.0-1055.64, 4.4.0-1171.186
Ubuntu:Pro:16.04:LTSlinux-kvm4.4.0-1047.53, 0, 4.4.0-1004.9
Ubuntu:Pro:FIPS-updates:18.04:LTSlinux-azure-fips4.15.0-2009.10, 4.15.0-2008.9, 4.15.0-2007.8
Ubuntu:18.04:LTSlinux-gcp-edge4.18.0-1004.5~18.04.1, *, 5.0.0-1013.13~18.04.1
Ubuntu:22.04:LTSlinux-riscv5.15.0-1026.30, 5.15.0-1023.27, 5.15.0-1020.23
Ubuntu:16.04:LTSlinux-hwe4.10.0-37.41~16.04.1, 4.10.0-35.39~16.04.1, 4.10.0-33.37~16.04.1
Ubuntu:22.04:LTSlinux-intel-iot-realtime0, 5.15.0-1073.75
Ubuntu:Pro:FIPS-updates:20.04:LTSlinux-gcp-fips0, 5.4.0-1021.21+fips1
Ubuntu:Pro:14.04:LTSlinux-azure4.15.0-1023.24~14.04.1, 4.15.0-1030.31~14.04.1, 4.15.0-1031.32~14.04.1
Ubuntu:20.04:LTSlinux-azure0, 5.4.0-1022.22, 5.4.0-1009.9

…and 59 more

Timeline

  • Oct 13, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›