Bug 2236130 (CVE-2022-40284)

Summary: CVE-2022-40284 NTFS-3G: buffer overflow issue in NTFS-3G can cause code execution via crafted metadata in an NTFS image
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ddepaula, jferlan, rjones, virt-maint, ymankad, yoguo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in NTFS-3G. This issue occurs via a crafted metadata in an NTFS image that can cause code execution. A local attacker can exploit this issue if the NTFS-3G binary is setuid root. A physically proximate attacker can exploit this issue if the NTFS-3G software is configured to execute upon attachment of an external storage device. Also this vulnerability may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. This vulnerability results from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflow, which could be exploited by an attacker.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2236365, 2236366, 2236367, 2236368, 2236369, 2236370, 2236371, 2236372, 2236373, 2236374, 2236375, 2236376, 2236377, 2236378, 2236379, 2236380    
Bug Blocks: 2236134    

Description juneau 2023-08-30 12:16:38 UTC 
A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.
Comment 2 Sandipan Roy 2023-08-31 05:02:24 UTC 
Created ntfs-3g tracking bugs for this issue:

Affects: epel-all [bug 2236365]
Affects: fedora-all [bug 2236366]
Comment 4 Sandipan Roy 2023-09-08 08:29:03 UTC 
Changing the impact to Low as,

For RHEL, that provides libguestfs-winsupport, That's Low Impact, Confidentiality/Integrity as None and Availability as Low because even if an attacker can trick a high-privileged user into opening a malicious NTFS with a very long mount point, he would be confined in a temporary VM without network and he could read/write only the malicious NTFS image itself.

On Fedora, however, ntfs-3g is directly shipped and it is not run in a temporary VM. For these reasons, the Impact there is Moderate. In any case, the ntfs-3g binaries are not SUID, so the attacker needs to trick a high-privileged user to open a malicious NTFS filesystem with a very long mount point.
Comment 5 errata-xmlrpc 2023-09-19 13:04:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5239 https://access.redhat.com/errata/RHSA-2023:5239
Comment 6 errata-xmlrpc 2023-09-19 14:37:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5264 https://access.redhat.com/errata/RHSA-2023:5264
Comment 7 errata-xmlrpc 2023-09-28 18:56:49 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2023:5405 https://access.redhat.com/errata/RHSA-2023:5405
Comment 8 errata-xmlrpc 2023-10-10 14:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5587 https://access.redhat.com/errata/RHSA-2023:5587
Comment 10 errata-xmlrpc 2023-10-17 15:35:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5796 https://access.redhat.com/errata/RHSA-2023:5796
Comment 11 errata-xmlrpc 2023-10-30 08:53:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6168 https://access.redhat.com/errata/RHSA-2023:6168
Comment 12 errata-xmlrpc 2023-10-30 08:54:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6167 https://access.redhat.com/errata/RHSA-2023:6167
Comment 14 errata-xmlrpc 2024-01-24 16:41:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0404 https://access.redhat.com/errata/RHSA-2024:0404