CVE-2021-35268
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code and escalate privileges by exploiting a heap buffer overflow in NTFS-3G when processing specially crafted NTFS inodes. Systems using NTFS-3G versions before 2021.8.22 are affected, particularly Linux systems that mount NTFS filesystems.
💻 Affected Systems
- NTFS-3G
- Tuxera NTFS-3G
- Linux distributions with NTFS-3G package
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Ntfs 3g by Tuxera
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing complete control over the affected system and potential lateral movement.
Likely Case
Local privilege escalation from a low-privileged user to root, enabling installation of malware, data theft, or persistence mechanisms.
If Mitigated
Limited impact if systems don't mount untrusted NTFS filesystems and follow principle of least privilege.
🎯 Exploit Status
Exploitation requires ability to mount a malicious NTFS filesystem. Proof-of-concept code is publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.8.22 and later
Vendor Advisory: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
Restart Required: No
Instructions:
1. Update NTFS-3G to version 2021.8.22 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install ntfs-3g. 3. For RHEL/CentOS/Fedora: sudo yum update ntfs-3g or sudo dnf update ntfs-3g. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable NTFS mounting
linuxPrevent mounting of NTFS filesystems if not required
sudo chmod 000 /sbin/mount.ntfs
sudo chmod 000 /usr/bin/ntfs-3g
Mount NTFS as read-only
linuxMount NTFS filesystems with read-only flag to prevent exploitation
mount -t ntfs-3g -o ro /dev/sdX1 /mnt/ntfs
🧯 If You Can't Patch
- Restrict NTFS mounting to trusted users only using sudoers or similar access controls
- Implement strict filesystem monitoring and alert on unusual NTFS mount activities
🔍 How to Verify
Check if Vulnerable:
Check NTFS-3G version: ntfs-3g --version | head -1Check Version:
ntfs-3g --version | head -1Verify Fix Applied:
Verify version is 2021.8.22 or later: ntfs-3g --version | grep -q '2021.8.22' && echo 'Patched' || echo 'Vulnerable'📡 Detection & Monitoring
Log Indicators:
- Failed NTFS mount attempts
- Unusual process execution after NTFS mount
- Suspicious kernel messages related to NTFS
Network Indicators:
- N/A - Local vulnerability
SIEM Query:
Process creation where parent process is mount.ntfs or ntfs-3g followed by suspicious child processes🔗 References
- http://ntfs-3g.com
- http://www.openwall.com/lists/oss-security/2021/08/30/1
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
- http://ntfs-3g.com
- http://www.openwall.com/lists/oss-security/2021/08/30/1
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
