Bug 1691624 (CVE-2019-9755) - CVE-2019-9755 ntfs-3g: heap-based buffer overflow leads to local root privilege escalation
Summary: CVE-2019-9755 ntfs-3g: heap-based buffer overflow leads to local root privile...
Alias: CVE-2019-9755
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1691628 1691629 1698502 1698503 1698516 1698522
Blocks: 1693523
TreeView+ depends on / blocked
Reported: 2019-03-22 06:27 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:13 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 19:20:50 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2308 0 None None None 2019-08-06 12:39:03 UTC
Red Hat Product Errata RHSA-2019:3345 0 None None None 2019-11-05 20:39:27 UTC

Description Dhananjay Arunesh 2019-03-22 06:27:04 UTC
A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation.


Comment 1 Dhananjay Arunesh 2019-03-22 06:36:40 UTC
External References:


Comment 2 Dhananjay Arunesh 2019-03-22 06:38:16 UTC
Created ntfs-3g tracking bugs for this issue:

Affects: fedora-all [bug 1691628]

Comment 3 Dhananjay Arunesh 2019-03-22 06:38:38 UTC
Created ntfs-3g tracking bugs for this issue:

Affects: epel-all [bug 1691629]

Comment 5 Riccardo Schirone 2019-04-10 08:02:54 UTC
libguestfs-winsupport executes anything in a temporary VM, so even a Local Privilege Escalation in ntfs-3g would have less impact in this case.

Comment 6 Riccardo Schirone 2019-04-10 09:16:17 UTC
ntfs-3g as shipped in Fedora and RHEL (through the libguestfs-winsupport package) does not have the SUID bit set, thus it cannot be used to escalate privileges, even though, in any case, they would be the privileges inside a temporary Virtual Machine.

Comment 7 Richard W.M. Jones 2019-04-10 09:20:40 UTC
><rescue> ls -l /bin/ntfs-3g
-rwxr-xr-x 1 1000 1000 653496 Feb 22  2017 /bin/ntfs-3g

Looks correct, there is no SUID bit.  On the other hand inside the libguestfs appliance everything
runs as root.  But the whole point of the appliance is to contain rogue filesystems and stop
them from taking over the host.

Comment 8 Riccardo Schirone 2019-04-10 11:54:35 UTC
For RHEL, that provides libguestfs-winsupport, I'm setting Low Impact, Confidentiality/Integrity as None and Availability as Low because even if an attacker can trick a high-privileged user into opening a malicious NTFS with a very long mount point, he would be confined in a temporary VM without network and he could read/write only the malicious NTFS image itself.

On Fedora, however, ntfs-3g is directly shipped and it is not run in a temporary VM. For these reasons, the Impact there is Moderate. In any case, the ntfs-3g binaries are not SUID, so the attacker needs to trick a high-privileged user to open a malicious NTFS filesystem with a very long mount point.

Comment 11 Riccardo Schirone 2019-04-10 14:00:22 UTC

This flaw has a lower impact on Red Hat Enterprise Linux because the ntfs-3g tool is run in a supermin appliance, which is similar to a virtual machine instantiated on the fly, and it does not have the SUID bit set. Thus an attacker is very limited on what he can do to the vulnerable system.

Comment 20 errata-xmlrpc 2019-08-06 12:39:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2308 https://access.redhat.com/errata/RHSA-2019:2308

Comment 21 Product Security DevOps Team 2019-08-06 19:20:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 22 errata-xmlrpc 2019-11-05 20:39:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3345 https://access.redhat.com/errata/RHSA-2019:3345

Note You need to log in before you can comment on or make changes to this bug.