Date: Thu, 26 May 2022 11:48:31 +0300 From: Jussi Hietanen <jussi.hietanen@...era.com> To: oss-security@...ts.openwall.com Cc: Roman Fiedler <roman.fiedler.at@...il.com>, Jean-Pierre André <jean-pierre.andre@...adoo.fr> Subject: OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0002 Security vulnerabilities were identified in the open source NTFS-3G built with internal libfuse (known as libfuse-lite) or libfuse2. These vulnerabilities were confirmed and resolved. A proof-of-concept exploit against a specific NTFS-3G build exists. These vulnerabilities allow an attacker to execute arbitrary privileged code, if the attacker has local access and the ntfs-3g binary is setuid root. We recommend installing and applying the update with the security fixes, and advise to follow security guidance and frameworks such as NIST for assessing and improving an organization’s abilities to prevent, detect, and respond to security threats and cyber attacks. AFFECTED PRODUCTS: All previous versions of open source NTFS-3G compiled with internal libfuse (known as libfuse-lite) or libfuse2. WORKAROUND: None SOLUTION: Upgrade to 2022.5.17 PROJECT URL: https://github.com/tuxera/ntfs-3g ADVISORY ID: NTFS3G-SA-2022-0002 ISSUE DATE: 2022-05-26 SEVERITY: High CVEs: CVE-2022-30783, CVE-2022-30785, CVE-2022-30787 CVSS SCORE: 7.5 ACKNOWLEDGMENT: Thanks to Roman Fiedler for reporting the vulnerabilities and supplying a PoC.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.