Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3802: insecure defaults in user-accessible mount helpers allow for a DoS

A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.

CVE
Open in Source
#vulnerability#linux#red_hat#dos#git

Bug 2003649 (CVE-2021-3802) - CVE-2021-3802 udisks2: insecure defaults in user-accessible mount helpers allow for a DoS

Summary: CVE-2021-3802 udisks2: insecure defaults in user-accessible mount helpers all…

Keywords:

Status:

NEW

Alias:

CVE-2021-3802

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

low

Severity:

low

Target Milestone:

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

2004422 2004423 2003650

Blocks:

2017003 2003653

TreeView+

depends on / blocked

Reported:

2021-09-13 11:48 UTC by Marian Rehak

Modified:

2021-10-25 11:42 UTC (History)

CC List:

4 users (show)

Fixed In Version:

udisks-2.9.4

Doc Type:

If docs needed, set a value

Doc Text:

A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.

Clone Of:

Environment:

Last Closed:

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Description Marian Rehak 2021-09-13 11:48:56 UTC

Several user-accessible mount helpers use insecure defaults which allow ext2/3/4 file systems to cause a denial of service (kernel panic) upon mounting a crafted image. This is especially relevant when mounts can be caused by unprivileged users or are configured to happen automatically and completely unauthorized.

External Reference:

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-045.txt

Comment 1 Marian Rehak 2021-09-13 11:49:16 UTC

Created udisks2 tracking bugs for this issue:

Affects: fedora-all [bug 2003650]

Comment 7 Marian Rehak 2021-09-15 09:28:56 UTC

Copyright license of original report: https://creativecommons.org/licenses/by/3.0/deed.en

Comment 9 Tomáš Bžatek 2021-10-04 12:16:38 UTC

Fix available upstream as part of the udisks-2.9.4 release: https://github.com/storaged-project/udisks/releases/tag/udisks-2.9.4

Note You need to log in before you can comment on or make changes to this bug.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE