A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation. Reference: https://security-tracker.debian.org/tracker/source-package/ntfs-3g
External References: https://www.debian.org/security/2019/dsa-4413
Created ntfs-3g tracking bugs for this issue: Affects: fedora-all [bug 1691628]
Created ntfs-3g tracking bugs for this issue: Affects: epel-all [bug 1691629]
Upstream patch: https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/
libguestfs-winsupport executes anything in a temporary VM, so even a Local Privilege Escalation in ntfs-3g would have less impact in this case.
ntfs-3g as shipped in Fedora and RHEL (through the libguestfs-winsupport package) does not have the SUID bit set, thus it cannot be used to escalate privileges, even though, in any case, they would be the privileges inside a temporary Virtual Machine.
><rescue> ls -l /bin/ntfs-3g -rwxr-xr-x 1 1000 1000 653496 Feb 22 2017 /bin/ntfs-3g Looks correct, there is no SUID bit. On the other hand inside the libguestfs appliance everything runs as root. But the whole point of the appliance is to contain rogue filesystems and stop them from taking over the host.
For RHEL, that provides libguestfs-winsupport, I'm setting Low Impact, Confidentiality/Integrity as None and Availability as Low because even if an attacker can trick a high-privileged user into opening a malicious NTFS with a very long mount point, he would be confined in a temporary VM without network and he could read/write only the malicious NTFS image itself. On Fedora, however, ntfs-3g is directly shipped and it is not run in a temporary VM. For these reasons, the Impact there is Moderate. In any case, the ntfs-3g binaries are not SUID, so the attacker needs to trick a high-privileged user to open a malicious NTFS filesystem with a very long mount point.
Statement: This flaw has a lower impact on Red Hat Enterprise Linux because the ntfs-3g tool is run in a supermin appliance, which is similar to a virtual machine instantiated on the fly, and it does not have the SUID bit set. Thus an attacker is very limited on what he can do to the vulnerable system.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2308 https://access.redhat.com/errata/RHSA-2019:2308
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9755
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3345 https://access.redhat.com/errata/RHSA-2019:3345