ISC StormCast for Friday, July 28th, 2023
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 28 July 2023
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, July 28, 2003 edition of the Sands and its Storm Center's |
| 0:07.5 | Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:14.1 | Researchers from WISIO disclosed two vulnerabilities in the Ubuntu implementation of Overlay FS. The overlay file system is often used |
| 0:25.1 | in containers, and while this is at its root, privilege escalation vulnerability, it's still |
| 0:32.5 | somewhat exciting, even though it's just privilege escalation, because it could affect container payloads |
| 0:39.7 | and how users running these payloads may be able to then break out into the host after |
| 0:46.1 | escalating privileges within the container. Ovalry file system is often used with containers |
| 0:52.9 | because it does allow a static base image to be used, |
| 0:56.9 | and then changes to the file system, like if you add a file or move something, that's being tracked |
| 1:03.8 | in a second layer so you don't actually modify the underlying file system. But this is exactly sort of where the problem |
| 1:12.5 | comes in here. One of the features that Linux provides is capabilities. You may have used |
| 1:17.7 | it, for example, with tools like TCPDump, where you do allow users to use TisB dump to capture |
| 1:23.9 | network packets, but that's where the only capability that you assign to TisBidam, |
| 1:29.0 | so that way it's a little bit safer than using, for example, Sudo, which is sort of notoriously |
| 1:34.3 | difficult to manage. The problem with the Ubuntu implementation of overlay file system is |
| 1:41.1 | that if you are moving a file from the underlying static file system into the |
| 1:49.0 | user layer of the file system, well, you can actually have these capabilities altered, |
| 1:54.8 | which then gives the user full route access to the system by essentially just adding all the capabilities to the particular |
| 2:02.1 | binary. The reason only Ubuntu is affected by this is that there was actually a similar |
| 2:07.8 | one of the least a couple years ago in the function that manages capabilities, but Ubuntu |
| 2:13.6 | made a modification to that particular function. It made its own copy of the function. |
| 2:19.1 | So the patch was never really applied to the Ubuntu version of it. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.