CVE-2021-35267
📋 TL;DR
A stack buffer overflow vulnerability in NTFS-3G versions before 2021.8.22 allows local attackers to execute arbitrary code or escalate privileges when the software runs with setuid-root permissions. This affects systems using NTFS-3G to access NTFS filesystems, particularly Linux/Unix systems where the software is installed with elevated privileges.
💻 Affected Systems
- NTFS-3G
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Ntfs 3g by Tuxera
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, allowing complete system compromise and persistence.
Likely Case
Local privilege escalation by authenticated users to gain root access on affected systems.
If Mitigated
Limited impact if NTFS-3G is not installed or runs without setuid permissions.
🎯 Exploit Status
Exploitation requires local access and knowledge of the vulnerability. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.8.22 and later
Vendor Advisory: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
Restart Required: No
Instructions:
1. Update NTFS-3G to version 2021.8.22 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install ntfs-3g. 3. For RHEL/CentOS/Fedora: sudo yum update ntfs-3g or sudo dnf update ntfs-3g. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Remove setuid permissions
linuxRemove setuid-root permissions from NTFS-3G binaries to prevent privilege escalation.
sudo chmod u-s /usr/bin/ntfs-3g
sudo chmod u-s /usr/bin/lowntfs-3g
Disable NTFS-3G
linuxTemporarily disable NTFS-3G if not needed for system operation.
sudo chmod 000 /usr/bin/ntfs-3g
sudo chmod 000 /usr/bin/lowntfs-3g
🧯 If You Can't Patch
- Remove setuid permissions from NTFS-3G binaries as temporary mitigation
- Restrict local user access to systems with vulnerable NTFS-3G versions
🔍 How to Verify
Check if Vulnerable:
Check NTFS-3G version with: ntfs-3g --version | head -1Check Version:
ntfs-3g --version | head -1Verify Fix Applied:
Verify version is 2021.8.22 or later: ntfs-3g --version | grep -q '2021.8.22' && echo 'Patched' || echo 'Vulnerable'📡 Detection & Monitoring
Log Indicators:
- Failed privilege escalation attempts
- Abnormal process execution by NTFS-3G binaries
- Core dumps from ntfs-3g processes
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process.name:"ntfs-3g" AND process.args:"setuid" OR process.parent.name:"ntfs-3g" AND process.name:"sh"🔗 References
- http://ntfs-3g.com
- http://www.openwall.com/lists/oss-security/2021/08/30/1
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
- http://ntfs-3g.com
- http://www.openwall.com/lists/oss-security/2021/08/30/1
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
