CVE-2021-33287

Description

In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.9AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.02%• Percentile: 6%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• debian•debian_linux

  9.0 | 10.0 | 11.0

• fedoraproject•fedora

  33 | 35

• tuxera•ntfs-3g

  < 2021.8.22

References (9)

• http://ntfs-3g.com
• http://tuxera.com
• http://www.openwall.com/lists/oss-security/2021/08/30/1
• https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp
• https://www.debian.org/security/2021/dsa-4971
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/766ISTT3KCARKFUIQT7N6WV6T63XOKG3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSEKTKHO5HFZHWZNJNBJZA56472KRUZI/
• https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html
• https://security.gentoo.org/glsa/202301-01