June 20, 20251 yr Hi Unraid team,I'd like to raise a security concern affecting the latest Unraid 7.1.4 release (2025-06-18).⚠️ Vulnerability ContextUnraid systems (including 7.1.4) run Linux kernel 6.12.24-Unraid, which is still vulnerable to CVE-2023-0386 — a known local privilege escalation flaw in the OverlayFS filesystem.This CVE is now:Actively exploited in the wild (confirmed by CISA)Patched in Linux 6.2-rc6+Not mentioned or backported in 7.1.4’s changelog✅ How Unraid Is AffectedUnraid uses OverlayFS by default.Here is a Proof-of-Vulnerability script:#!/bin/bash echo "=== OverlayFS Vulnerability Checker ===" # 1. Show kernel version echo -e "\n[+] Kernel version:" uname -r # 2. Check if OverlayFS is supported echo -e "\n[+] OverlayFS support in kernel:" cat /proc/filesystems | grep overlay && echo "OverlayFS is supported" || echo "OverlayFS NOT supported" # 3. Check if OverlayFS is mounted echo -e "\n[+] OverlayFS active mounts:" mount | grep overlay # 4. Show detailed mountinfo (proves upperdir/workdir are present) echo -e "\n[+] Detailed OverlayFS mountinfo:" cat /proc/self/mountinfo | grep overlay # 5. Optional: check if module is loaded (informational only) echo -e "\n[+] Kernel module status (optional):" lsmod | grep overlay || echo "OverlayFS not a module or not listed in lsmod (could be built-in)" echo -e "\n[!] If OverlayFS is mounted AND kernel version < 6.2 => System is vulnerable to CVE-2023-0386 unless patched.\n"Result:=== OverlayFS Vulnerability Checker === [+] Kernel version: 6.12.24-Unraid [+] OverlayFS support in kernel: nodev overlay OverlayFS is supported [+] OverlayFS active mounts: overlay on /usr type overlay (rw,relatime,lowerdir=/usr,upperdir=/var/local/overlay/usr,workdir=/var/local/overlay-work/usr,uuid=on) overlay on /lib type overlay (rw,relatime,lowerdir=/lib,upperdir=/var/local/overlay/lib,workdir=/var/local/overlay-work/lib,uuid=on) [+] Detailed OverlayFS mountinfo: 30 27 0:24 / /usr rw,relatime - overlay overlay rw,lowerdir=/usr,upperdir=/var/local/overlay/usr,workdir=/var/local/overlay-work/usr,uuid=on 34 31 0:27 / /lib rw,relatime - overlay overlay rw,lowerdir=/lib,upperdir=/var/local/overlay/lib,workdir=/var/local/overlay-work/lib,uuid=on [+] Kernel module status (optional): OverlayFS not a module or not listed in lsmod (could be built-in) [!] If OverlayFS is mounted AND kernel version < 6.2 => System is vulnerable to CVE-2023-0386 unless patched.This satisfies all CVE-2023-0386 exploit preconditions:A malicious plugin or Docker container with basic file write access could escalate to rootIt's a silent, local risk — no SUID or setcap needed🧪 Confirmed:Kernel: uname -r → 6.12.24-UnraidOverlayFS in use: confirmed on /usr, /libNo security fixes listed in 7.1.4 release notes🔐 Suggested ActionsBackport the OverlayFS fix from Linux 6.2-rc6 or later into 6.12.24-UnraidClearly document any CVE-related patching in future changelogsOptionally provide a temporary advisory on unraid.net and encourage minimal plugin/container exposure for security-conscious users📦 Supplemental AuditI’ve written a lightweight script that checks for:New or modified SUID binariesSuspicious Linux capabilitiesSHA256 hash changes to binaries under /usr, /lib, /etc#!/bin/bash # OverlayFS security audit script with SUID, capabilities, and SHA256 change detection LOGFILE="/var/log/overlayfs_audit.log" SUID_DB="/var/local/overlayfs_suid_baseline.txt" CAP_DB="/var/local/overlayfs_caps_baseline.txt" HASH_DB="/var/local/overlayfs_hashes_baseline.txt" TMP_DIR="/tmp/overlayfs_audit_tmp" # Directories to scan (expanded list) SCAN_DIRS=("/usr" "/lib" "/etc" "/opt" "/bin") mkdir -p "$TMP_DIR" echo "=== OverlayFS Security Audit @ $(date) ===" >> "$LOGFILE" # 1. Scan for new SUID files echo "[*] Scanning for SUID binaries..." | tee -a "$LOGFILE" find "${SCAN_DIRS[@]}" -xdev -perm -4000 -type f 2>/dev/null | sort > "$TMP_DIR/current_suid.txt" if [ -f "$SUID_DB" ]; then echo "[*] Comparing with SUID baseline..." | tee -a "$LOGFILE" comm -13 "$SUID_DB" "$TMP_DIR/current_suid.txt" >> "$LOGFILE" else echo "[!] No SUID baseline found. Creating new one." | tee -a "$LOGFILE" cp "$TMP_DIR/current_suid.txt" "$SUID_DB" fi # 2. Scan for files with capabilities echo "[*] Scanning for files with Linux capabilities..." | tee -a "$LOGFILE" getcap -r "${SCAN_DIRS[@]}" 2>/dev/null | sort > "$TMP_DIR/current_caps.txt" if [ -f "$CAP_DB" ]; then echo "[*] Comparing capabilities with baseline..." | tee -a "$LOGFILE" comm -13 "$CAP_DB" "$TMP_DIR/current_caps.txt" >> "$LOGFILE" else echo "[!] No capabilities baseline found. Creating new one." | tee -a "$LOGFILE" cp "$TMP_DIR/current_caps.txt" "$CAP_DB" fi # 3. SHA256 hash monitoring for tracked directories echo "[*] Generating SHA256 file hashes..." | tee -a "$LOGFILE" find "${SCAN_DIRS[@]}" -xdev -type f -exec sha256sum {} + 2>/dev/null | sort > "$TMP_DIR/current_hashes.txt" if [ -f "$HASH_DB" ]; then echo "[*] Comparing hashes with baseline..." | tee -a "$LOGFILE" diff -u "$HASH_DB" "$TMP_DIR/current_hashes.txt" | grep -E '^\+|^-' | grep -vE '^\+\+\+|^---' >> "$LOGFILE" else echo "[!] No hash baseline found. Creating new one." | tee -a "$LOGFILE" cp "$TMP_DIR/current_hashes.txt" "$HASH_DB" fi # Cleanup rm -rf "$TMP_DIR" echo "=== Audit complete ===" >> "$LOGFILE" echo "Results saved to $LOGFILE"Thanks for your hard work — Unraid is an amazing platform. Just wanted to raise this now that exploit activity is increasing and many users may not be aware this risk applies to home servers too.If the Unraid dev team would like more info, feel free to reach out to me via LinkedIn or the Unraid forum — happy to help however I can.
June 20, 20251 yr Unraid is running kernel 6.12 which is greater than 6.2 so I should have the CVE patched.
June 20, 20251 yr Solution Unraid v7.1.x uses kernel v6.12.24 which has been patched.The patch included involved adding this:https://elixir.bootlin.com/linux/v6.12.24/source/fs/overlayfs/copy_up.c#L1158
June 24, 20251 yr I broke out the magnifying glass but couldn't find that pesky decimal place between the 1 and 2 in "12" 🧐 🤣Kernel 6.1.9 (not subject to the CVE) was released back in 2022 BTW.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.