Bug 1691624 (CVE-2019-9755)
| Summary: | CVE-2019-9755 ntfs-3g: heap-based buffer overflow leads to local root privilege escalation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | libvirt-maint, rjones, rschiron, tcallawa, xchen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 19:20:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1691628, 1691629, 1698502, 1698503, 1698516, 1698522 | ||
| Bug Blocks: | 1693523 | ||
|
Description
Dhananjay Arunesh
2019-03-22 06:27:04 UTC
External References: https://www.debian.org/security/2019/dsa-4413 Created ntfs-3g tracking bugs for this issue: Affects: fedora-all [bug 1691628] Created ntfs-3g tracking bugs for this issue: Affects: epel-all [bug 1691629] Upstream patch: https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/ libguestfs-winsupport executes anything in a temporary VM, so even a Local Privilege Escalation in ntfs-3g would have less impact in this case. ntfs-3g as shipped in Fedora and RHEL (through the libguestfs-winsupport package) does not have the SUID bit set, thus it cannot be used to escalate privileges, even though, in any case, they would be the privileges inside a temporary Virtual Machine. ><rescue> ls -l /bin/ntfs-3g
-rwxr-xr-x 1 1000 1000 653496 Feb 22 2017 /bin/ntfs-3g
Looks correct, there is no SUID bit. On the other hand inside the libguestfs appliance everything
runs as root. But the whole point of the appliance is to contain rogue filesystems and stop
them from taking over the host.
For RHEL, that provides libguestfs-winsupport, I'm setting Low Impact, Confidentiality/Integrity as None and Availability as Low because even if an attacker can trick a high-privileged user into opening a malicious NTFS with a very long mount point, he would be confined in a temporary VM without network and he could read/write only the malicious NTFS image itself. On Fedora, however, ntfs-3g is directly shipped and it is not run in a temporary VM. For these reasons, the Impact there is Moderate. In any case, the ntfs-3g binaries are not SUID, so the attacker needs to trick a high-privileged user to open a malicious NTFS filesystem with a very long mount point. Statement: This flaw has a lower impact on Red Hat Enterprise Linux because the ntfs-3g tool is run in a supermin appliance, which is similar to a virtual machine instantiated on the fly, and it does not have the SUID bit set. Thus an attacker is very limited on what he can do to the vulnerable system. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2308 https://access.redhat.com/errata/RHSA-2019:2308 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9755 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3345 https://access.redhat.com/errata/RHSA-2019:3345 |