oss-sec mailing list archives
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631
From: Greg KH <greg () kroah com>
Date: Tue, 30 Jan 2024 15:01:24 -0800
On Tue, Jan 30, 2024 at 10:45:00PM +0100, Solar Designer wrote:
Thank you Greg for looking into these issues. It's great that most longterm kernel trees appear already fixed.
I've taken the one remaining missing fix into the next round of kernel releases, so all should be good now.
For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the vulnerability can be triggered by a local system user at will and without additional privileges. I'd say that deliberately getting the kernel to work on a corrupted filesystem requires at least one of: physical access (AV:P) or privileges on the system (PR:H) or user interaction (UI:R). However, there's no way to encode this in one CVSS vector. Also, in the physical access case, at least the availability impact typically does not apply (would be A:N).
The "interesting" thing here is that the project in question (the kernel) does not consider "mounting a corrupted filesystem" as a real attack vector at all. There's been long discussions about it, the most recent being last year on the kernel summit discuss mailing list, and at the kernel summit itself. So while CVSS might consider this a real issue, the developers of the project itself do not. The disconnect is one that drives people who use sysbot tools to create fancy corrupted filesystem images with the goal of getting a CVE for their CV, crazy on a weekly basis when the issues they report get constantly ignored. Good times :) thanks, greg k-h
Current thread:
- FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)