oss-sec mailing list archives
OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0002
From: Jussi Hietanen <jussi.hietanen () tuxera com>
Date: Thu, 26 May 2022 11:48:31 +0300
Security vulnerabilities were identified in the open source NTFS-3G built with internal libfuse (known as libfuse-lite) or libfuse2. These vulnerabilities were confirmed and resolved. A proof-of-concept exploit against a specific NTFS-3G build exists.
These vulnerabilities allow an attacker to execute arbitrary privileged code, if the attacker has local access and the ntfs-3g binary is setuid root.
We recommend installing and applying the update with the security fixes, and advise to follow security guidance and frameworks such as NIST for assessing and improving an organization’s abilities to prevent, detect, and respond to security threats and cyber attacks.
AFFECTED PRODUCTS: All previous versions of open source NTFS-3G compiled with internal libfuse (known as libfuse-lite) or libfuse2.
WORKAROUND: None SOLUTION: Upgrade to 2022.5.17 PROJECT URL: https://github.com/tuxera/ntfs-3g ADVISORY ID: NTFS3G-SA-2022-0002 ISSUE DATE: 2022-05-26 SEVERITY: High CVEs: CVE-2022-30783, CVE-2022-30785, CVE-2022-30787 CVSS SCORE: 7.5ACKNOWLEDGMENT: Thanks to Roman Fiedler for reporting the vulnerabilities and supplying a PoC.
Current thread:
- OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0002 Jussi Hietanen (May 26)