CVE-2024-38625
📋 TL;DR
A NULL pointer dereference vulnerability exists in the Linux kernel's NTFS3 filesystem driver. When the 'bmap' function is called, it can pass a NULL 'folio' pointer, causing a kernel crash. This affects systems using the NTFS3 driver to access NTFS filesystems.
💻 Affected Systems
- Linux kernel with NTFS3 driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or corruption if filesystem operations are interrupted.
Likely Case
System crash or kernel panic when accessing NTFS filesystems via the bmap operation, resulting in denial of service.
If Mitigated
Minor system instability or application crashes when accessing specific NTFS filesystem operations.
🎯 Exploit Status
Requires local access and ability to trigger bmap operations on NTFS filesystems. No known public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 1cd6c96219c429ebcfa8e79a865277376c563803 and 6c8054d590668629bb2eb6fb4cbf22455d08ada8
Vendor Advisory: https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify NTFS3 driver is updated.
🔧 Temporary Workarounds
Disable NTFS3 driver
linuxPrevent loading of the vulnerable NTFS3 filesystem driver
echo 'blacklist ntfs3' >> /etc/modprobe.d/blacklist-ntfs3.conf
update-initramfs -u
reboot
Use alternative NTFS driver
linuxUse NTFS-3G userspace driver instead of kernel NTFS3 driver
apt-get install ntfs-3g
mount -t ntfs-3g /dev/sdX /mnt/ntfs
🧯 If You Can't Patch
- Restrict access to NTFS filesystems to trusted users only
- Monitor system logs for kernel panic events related to NTFS operations
🔍 How to Verify
Check if Vulnerable:
Check if NTFS3 module is loaded: lsmod | grep ntfs3. Check kernel version: uname -r and compare with patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Check dmesg for absence of NULL pointer dereference errors related to NTFS.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- NULL pointer dereference errors mentioning 'ntfs3' or 'folio'
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic") AND "ntfs3"🔗 References
- https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803
- https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8
- https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641
- https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803
- https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8
- https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641
