oss-sec mailing list archives
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Tue, 30 Jan 2024 19:56:15 -0500
On Tue, Jan 30, 2024 at 03:01:24PM -0800, Greg KH wrote:
On Tue, Jan 30, 2024 at 10:45:00PM +0100, Solar Designer wrote:Thank you Greg for looking into these issues. It's great that most longterm kernel trees appear already fixed.I've taken the one remaining missing fix into the next round of kernel releases, so all should be good now.For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the vulnerability can be triggered by a local system user at will and without additional privileges. I'd say that deliberately getting the kernel to work on a corrupted filesystem requires at least one of: physical access (AV:P) or privileges on the system (PR:H) or user interaction (UI:R). However, there's no way to encode this in one CVSS vector. Also, in the physical access case, at least the availability impact typically does not apply (would be A:N).The "interesting" thing here is that the project in question (the kernel) does not consider "mounting a corrupted filesystem" as a real attack vector at all. There's been long discussions about it, the most recent being last year on the kernel summit discuss mailing list, and at the kernel summit itself.
The kernel itself does not, but there are downstreams of the kernel that do for at least a subset of filesystems. These include Android and Chromium OS.
So while CVSS might consider this a real issue, the developers of the project itself do not. The disconnect is one that drives people who use sysbot tools to create fancy corrupted filesystem images with the goal of getting a CVE for their CV, crazy on a weekly basis when the issues they report get constantly ignored.
If someone finds a vulnerability in F2FS or ext4 that can be used to compromise the kernel by crafting a malicious filesystem, they should report it to the Android or Chromium OS security teams, respectively. It’s a verified boot bypass and I expect that it would be in scope for the respective bounty programs. If Android mounts FAT and exFAT in the kernel, then vulnerabilities in these filesystems should be reported to the Android security team. Google requires that F2FS and ext4 are secure against malicious filesystem images, so they should be the ones responsible for fixing any vulnerabilities that require a malicious filesystem image to trigger. Fortunately, they have the resources to do that, so this should not be a problem for them. Could this be documented somehow, so that people know to send reports against f2fs and ext4 to those who will actually fix them? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)