Bug 2236130 (CVE-2022-40284) - CVE-2022-40284 NTFS-3G: buffer overflow issue in NTFS-3G can cause code execution via crafted metadata in an NTFS image
Summary: CVE-2022-40284 NTFS-3G: buffer overflow issue in NTFS-3G can cause code execu...
Keywords:
Status: NEW
Alias: CVE-2022-40284
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2236373 2236365 2236366 2236367 2236368 2236369 2236370 2236371 2236372 2236374 2236375 2236376 2236377 2236378 2236379 2236380
Blocks: 2236134
TreeView+ depends on / blocked
 
Reported: 2023-08-30 12:16 UTC by juneau
Modified: 2024-04-03 16:24 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in NTFS-3G. This issue occurs via a crafted metadata in an NTFS image that can cause code execution. A local attacker can exploit this issue if the NTFS-3G binary is setuid root. A physically proximate attacker can exploit this issue if the NTFS-3G software is configured to execute upon attachment of an external storage device. Also this vulnerability may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. This vulnerability results from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflow, which could be exploited by an attacker.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5417 0 None None None 2023-10-03 11:48:43 UTC
Red Hat Product Errata RHSA-2023:5239 0 None None None 2023-09-19 13:05:01 UTC
Red Hat Product Errata RHSA-2023:5264 0 None None None 2023-09-19 14:37:09 UTC
Red Hat Product Errata RHSA-2023:5405 0 None None None 2023-09-28 18:56:50 UTC
Red Hat Product Errata RHSA-2023:5587 0 None None None 2023-10-10 14:14:17 UTC
Red Hat Product Errata RHSA-2023:5796 0 None None None 2023-10-17 15:35:23 UTC
Red Hat Product Errata RHSA-2023:6167 0 None None None 2023-10-30 08:54:18 UTC
Red Hat Product Errata RHSA-2023:6168 0 None None None 2023-10-30 08:53:26 UTC
Red Hat Product Errata RHSA-2024:0404 0 None None None 2024-01-24 16:41:11 UTC

Description juneau 2023-08-30 12:16:38 UTC 
A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.
Comment 2 Sandipan Roy 2023-08-31 05:02:24 UTC 
Created ntfs-3g tracking bugs for this issue:

Affects: epel-all [bug 2236365]
Affects: fedora-all [bug 2236366]
Comment 4 Sandipan Roy 2023-09-08 08:29:03 UTC 
Changing the impact to Low as,

For RHEL, that provides libguestfs-winsupport, That's Low Impact, Confidentiality/Integrity as None and Availability as Low because even if an attacker can trick a high-privileged user into opening a malicious NTFS with a very long mount point, he would be confined in a temporary VM without network and he could read/write only the malicious NTFS image itself.

On Fedora, however, ntfs-3g is directly shipped and it is not run in a temporary VM. For these reasons, the Impact there is Moderate. In any case, the ntfs-3g binaries are not SUID, so the attacker needs to trick a high-privileged user to open a malicious NTFS filesystem with a very long mount point.
Comment 5 errata-xmlrpc 2023-09-19 13:04:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5239 https://access.redhat.com/errata/RHSA-2023:5239
Comment 6 errata-xmlrpc 2023-09-19 14:37:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5264 https://access.redhat.com/errata/RHSA-2023:5264
Comment 7 errata-xmlrpc 2023-09-28 18:56:49 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2023:5405 https://access.redhat.com/errata/RHSA-2023:5405
Comment 8 errata-xmlrpc 2023-10-10 14:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5587 https://access.redhat.com/errata/RHSA-2023:5587
Comment 10 errata-xmlrpc 2023-10-17 15:35:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5796 https://access.redhat.com/errata/RHSA-2023:5796
Comment 11 errata-xmlrpc 2023-10-30 08:53:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6168 https://access.redhat.com/errata/RHSA-2023:6168
Comment 12 errata-xmlrpc 2023-10-30 08:54:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6167 https://access.redhat.com/errata/RHSA-2023:6167
Comment 14 errata-xmlrpc 2024-01-24 16:41:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0404 https://access.redhat.com/errata/RHSA-2024:0404
Note You need to log in before you can comment on or make changes to this bug.