CVE-2021-39252
📋 TL;DR
CVE-2021-39252 is an out-of-bounds read vulnerability in NTFS-3G's ntfs_ie_lookup function. Attackers can exploit this by mounting a specially crafted NTFS image, potentially causing crashes or information disclosure. Systems using NTFS-3G versions before 2021.8.22 are affected.
💻 Affected Systems
- NTFS-3G
- Tuxera NTFS-3G
- Linux distributions with NTFS-3G packages
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Ntfs 3g by Tuxera
⚠️ Risk & Real-World Impact
Worst Case
Denial of service (system crash) or information disclosure from kernel memory when processing malicious NTFS images
Likely Case
Application crash or denial of service when mounting malicious NTFS filesystems
If Mitigated
Minimal impact if systems don't mount untrusted NTFS images and have proper access controls
🎯 Exploit Status
Exploitation requires ability to mount NTFS images. Proof of concept available in advisory. Requires local access or ability to mount filesystems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.8.22 and later
Vendor Advisory: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
Restart Required: No
Instructions:
1. Update NTFS-3G to version 2021.8.22 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade ntfs-3g' (Debian/Ubuntu) or 'sudo yum update ntfs-3g' (RHEL/CentOS/Fedora). 3. For source installations, download from https://github.com/tuxera/ntfs-3g/releases and compile.
🔧 Temporary Workarounds
Restrict NTFS mounting
linuxPrevent mounting of NTFS filesystems from untrusted sources
# Add to /etc/fstab: noauto option for NTFS partitions
# Use mount permissions: mount -o nosuid,noexec,nodev ntfs_partition
Disable NTFS-3G if unused
linuxRemove or disable NTFS-3G if NTFS support is not needed
sudo apt remove ntfs-3g
sudo yum remove ntfs-3g
🧯 If You Can't Patch
- Avoid mounting NTFS images from untrusted sources
- Implement strict access controls on filesystem mounting capabilities
🔍 How to Verify
Check if Vulnerable:
Check NTFS-3G version: 'ntfs-3g --version' or 'dpkg -l | grep ntfs-3g' or 'rpm -q ntfs-3g'Check Version:
ntfs-3g --versionVerify Fix Applied:
Verify version is 2021.8.22 or higher: 'ntfs-3g --version | grep -q "2021.8.2[2-9]\|2021.8.[3-9]\|2021.[9-9]\|202[2-9]"'📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing filesystem errors or crashes when mounting NTFS
- System logs with NTFS-3G segmentation faults
Network Indicators:
- Not applicable - local filesystem vulnerability
SIEM Query:
source="*syslog*" AND ("ntfs-3g" OR "NTFS") AND ("segmentation fault" OR "crash" OR "out of bounds")🔗 References
- https://github.com/tuxera/ntfs-3g/releases
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
- https://github.com/tuxera/ntfs-3g/releases
- https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
- https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
- https://security.gentoo.org/glsa/202301-01
- https://www.debian.org/security/2021/dsa-4971
