Information
overlay is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.
The overlay has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlay reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.
Solution
Run the following to unload and disable the overlay kernel module. This can also be done by running the script included below.
Run the following commands to unload the overlay kernel module:
# modprobe -r overlay 2>/dev/null
# rmmod overlay 2>/dev/null
Perform the following to disable the overlay kernel module:
Create a file ending inconf with install overlay /bin/false in the /etc/modprobe.d/ directory
Example:
# printf '\n%s\n' "install overlay /bin/false" >> overlay.conf
Create a file ending inconf with blacklist overlay in the /etc/modprobe.d/ directory
Example:
# printf '\n%s\n' "blacklist overlay" >> overlay.conf
Optional remediation script:
This script will perform the above remediation as required by the system
#!/usr/bin/env bash
{
a_output2=() a_output3=() l_dl="" l_mod_name="overlayfs" l_mod_type="fs"
l_mod_path="$(readlink -f /usr/lib/modules/**/kernel/$l_mod_type || readlink -f /lib/modules/**/kernel/$l_mod_type)"
f_module_fix()
{
l_dl="y" a_showconfig=()
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
a_output2+=(" - unloading kernel module: \"$l_mod_chk_name\"")
modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_chk_name" 2>/dev/null
fi
if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_chk_name\" to \"$(readlink -f /bin/false)\"")
printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_chk_name".conf
fi
if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_chk_name\"")
printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_chk_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
a_output3+=(" - \"$l_mod_base_directory\"")
l_mod_chk_name="$l_mod_name"
[[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_fix
else
printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
[ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}
Impact:
WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlay may severely disrupt containerization.