CVE-2019-10140 in Linux
Summary
by MITRE
A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/25/2023
The vulnerability identified as CVE-2019-10140 represents a critical NULL pointer dereference flaw within the Linux kernel's overlay filesystem implementation. This security issue specifically affects kernel versions up to 3.10 and resides in the ovl_posix_acl_create function located in the fs/overlayfs/dir.c source file. The overlay filesystem serves as a virtual filesystem layer that allows users to mount multiple filesystems on top of each other, creating a unified view of the underlying data structures. This functionality is particularly valuable in containerized environments and system administration scenarios where layered filesystems are commonly employed.
The technical exploitation of this vulnerability occurs when an attacker with local access and the ability to create directories within an overlayfs mount point can trigger a kernel crash through a carefully crafted sequence of operations. The flaw manifests as a NULL pointer dereference during the execution of the ovl_posix_acl_create function, which is responsible for handling access control list creation operations within the overlay filesystem context. When the function attempts to dereference a pointer that has not been properly initialized or has been set to NULL, the kernel encounters an unexpected termination condition that results in a system crash. This type of vulnerability falls under CWE-476 which specifically addresses NULL pointer dereference conditions in software implementations.
The operational impact of this vulnerability extends beyond simple system instability, as it provides a reliable method for attackers to execute denial of service attacks against systems running vulnerable kernel versions. The attack requires only local access and the ability to create directories within the overlayfs mount point, making it particularly concerning for multi-user systems where privilege escalation might be possible. In containerized environments, this vulnerability could be exploited by unprivileged users to crash container hosts, potentially affecting multiple containers and services running on the same system. The vulnerability's presence in kernel versions up to 3.10 indicates it has been present for several years, making it a persistent threat in legacy systems that have not received proper security updates.
From a defensive perspective, the primary mitigation strategy involves upgrading to kernel versions that contain the patched implementation of overlayfs functionality. System administrators should prioritize immediate patching of affected systems, particularly those running kernel versions 3.10 or earlier. The vulnerability demonstrates the importance of proper input validation and pointer initialization in kernel-space code, as the flaw could have been prevented through defensive programming practices that ensure all pointers are properly validated before dereferencing operations. Organizations should also implement monitoring systems to detect potential exploitation attempts and maintain comprehensive backup and recovery procedures to minimize the impact of successful denial of service attacks. This vulnerability aligns with ATT&CK technique T1499 which covers network denial of service attacks and highlights the importance of kernel-level security controls in preventing system compromise through local privilege escalation vectors.