PT-2018-2294 · Filesystem In Userspace+4 · Fuse+4

Jann Horn

Publicado

2018-07-24

Atualizado

2022-03-16

CVE-2018-10906

CVSS v3.1

7.8

Alta

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions fuse versions 2.9.8 and earlier fuse versions 3.x before 3.2.5

Description The issue is related to a restriction bypass when SELinux is active, allowing non-root users to mount a FUSE file system with the 'allow other' mount option, regardless of the 'user allow other' setting in the fuse configuration. This could be exploited to mount a FUSE file system accessible by other users, potentially causing Denial of Service or other unspecified effects by tricking them into accessing files on that file system.

Recommendations For fuse versions 2.9.8 and earlier, update to version 2.9.8 or later. For fuse versions 3.x before 3.2.5, update to version 3.2.5 or later.

Exploit

Correção

DoS

Improper Authorization

Improper Privilege Management

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-285CWE-269CWE-284

Identificadores relacionados

AZL-34694

AZL-6430

BDU:2019-00421

CESA-2018_3324

CVE-2018-10906

DLA-1468-1

DSA-4257-1

OPENSUSE-SU-2018_3325-1

OPENSUSE-SU-2018_3326-1

RHSA-2018:3324

RHSA-2018_3324

SUSE-SU-2018:3219-1

SUSE-SU-2018:3260-1

SUSE-SU-2018_3219-1

SUSE-SU-2018_3260-1

SUSE-SU-2019:13948-1

SUSE-SU-2019_13948-1

USN-5326-1

Produtos afetados

Centos

Red Hat

Suse

Ubuntu

Fuse

PT-2018-2294 · Filesystem In Userspace+4 · Fuse+4

CVE-2018-10906

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 37