CVE-2020-16120 Overview
CVE-2020-16120 is a privilege escalation vulnerability in the Linux kernel's overlayfs implementation. The vulnerability arises from improper permission checking when copying up files in an overlayfs, which can be exploited from within a user namespace when unprivileged user namespaces are allowed. This flaw enables an attacker to copy files that should not be readable by an unprivileged user to a mountpoint controlled by the attacker, such as a removable device.
The vulnerability was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops") and was subsequently fixed in kernel version 5.8 through multiple commits addressing permission verification in overlayfs operations.
Critical Impact
Local attackers with access to unprivileged user namespaces can bypass file permission restrictions and access sensitive data through overlayfs copy-up operations.
Affected Products
- Linux Kernel versions 4.19 through 5.7
- Canonical Ubuntu Linux 14.04 ESM
- Canonical Ubuntu Linux 16.04 LTS
- Canonical Ubuntu Linux 18.04 LTS
- Canonical Ubuntu Linux 20.04 LTS
Discovery Timeline
- 2021-02-10 - CVE CVE-2020-16120 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-16120
Vulnerability Analysis
The vulnerability exists in the Linux kernel's overlayfs filesystem implementation, specifically in how it handles file permissions during copy-up operations. Overlayfs is a union mount filesystem that allows one filesystem to be layered over another. When a file from a lower layer needs to be modified, overlayfs performs a "copy-up" operation, copying the file to the upper layer.
The flaw lies in the inadequate permission verification during these copy-up operations when executed within a user namespace context. When unprivileged user namespaces are enabled (a common configuration in containerized environments), an attacker can leverage this weakness to copy files that would normally be inaccessible to unprivileged users to an attacker-controlled location, such as a removable storage device.
The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), indicating a fundamental issue with how privileges are managed during overlayfs operations within user namespaces.
Root Cause
The root cause of CVE-2020-16120 stems from the changes introduced in commit d1d04ef ("ovl: stack file ops") in kernel version 4.19. This commit modified how overlayfs handles file operations but failed to properly implement permission checks when copying up files within a user namespace context.
Specifically, the overlayfs implementation did not verify that the calling process had appropriate permissions to read the source file in the lower layer before performing the copy-up operation. This oversight allowed processes running within unprivileged user namespaces to access and copy files that should be restricted based on traditional Unix permission models.
Attack Vector
The attack requires local access to a system where unprivileged user namespaces are enabled. An attacker can exploit this vulnerability by:
- Creating a user namespace with elevated capabilities within that namespace
- Setting up an overlayfs mount that includes sensitive files in the lower layer
- Triggering a copy-up operation on target files that would normally be unreadable
- Accessing the copied files from a mountpoint controlled by the attacker, such as a removable device
The attack leverages the permission checking gap during the overlayfs copy-up process, where the operation proceeds without properly validating whether the initiating user has read access to the original file.
Detection Methods for CVE-2020-16120
Indicators of Compromise
- Unexpected overlayfs mount operations initiated from within user namespaces
- Unusual file copy activities involving sensitive system files to removable media or user-controlled directories
- Process activity showing user namespace creation followed by overlayfs operations
- Anomalous access patterns to files that should be permission-restricted for unprivileged users
Detection Strategies
- Monitor for overlayfs mount operations using auditd rules targeting the mount syscall with overlayfs filesystem type
- Implement file integrity monitoring on critical system files to detect unexpected copy operations
- Track user namespace creation events and correlate with subsequent filesystem operations
- Deploy kernel-level monitoring to detect suspicious overlayfs copy-up operations
Monitoring Recommendations
- Enable audit logging for mount syscalls with specific focus on overlayfs operations: auditctl -w /sys/fs/cgroup -p wa -k overlayfs_monitor
- Configure SentinelOne agents to monitor for anomalous file access patterns involving overlayfs
- Review system logs for user namespace creation events using dmesg or journalctl
- Monitor /proc/[pid]/mountinfo for unexpected overlayfs configurations
How to Mitigate CVE-2020-16120
Immediate Actions Required
- Update the Linux kernel to version 5.8 or later which contains the security fixes
- Apply vendor-specific security patches for Ubuntu systems as outlined in security notices USN-4576-1, USN-4577-1, and USN-4578-1
- Disable unprivileged user namespaces if not required: sysctl -w kernel.unprivileged_userns_clone=0
- Review and restrict access to overlayfs capabilities using security modules such as AppArmor or SELinux
Patch Information
The vulnerability was fixed in Linux kernel version 5.8 through multiple commits:
- Commit 56230d9 - "ovl: verify permissions in ovl_path_open()"
- Commit 48bd024 - "ovl: switch to mounter creds in readdir"
- Commit 05acefb - "ovl: check permission to open real file"
- Commit 130fdbc - "ovl: pass correct flags for opening real directory"
- Commit 292f902 - "ovl: call security hook in ovl_real_ioctl()"
A regression affecting overlay mounts within user namespaces was later addressed in kernel 5.11 by commit b6650da ("ovl: do not fail because of O_NOATIME").
For Ubuntu systems, apply the appropriate security updates:
Additional technical details are available in Launchpad Bug #1894980 and the Openwall OSS-Security Discussion.
Workarounds
- Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 in sysctl configuration
- Restrict overlayfs usage through mount namespace restrictions or container security policies
- Implement AppArmor or SELinux policies to limit overlayfs operations to trusted processes
- Remove user access to removable media devices where sensitive data could be exfiltrated
# Disable unprivileged user namespaces
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.conf
sysctl -p
# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone
# Monitor for overlayfs mounts using auditd
auditctl -a always,exit -F arch=b64 -S mount -F fstype=overlay -k overlayfs_activity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
