Red Hat has assigned the CVE-2017-7518 to the flaw. Users of the FUSE filesystem can protect themselves by disabling write() on a specific type of file.
File System Security
System experts have identified a vulnerability in the FUSE file system that could expose users to information disclosure. Red Hat has assigned CVE-2017-7518 to the flaw.
The flaw exists in the way files are written with "write()" operations on specific types of files, which can be exploited by malicious individuals to trigger memory corruption and potentially execute arbitrary code.
FUSE (Filesystem in Userspace)
Filesystem in Userspace (FUSE) is a Linux kernel subsystem designed to allow Unix-like computer systems to mount and unmount filesystems located in kernel virtual memory as user-space mount points. FUSE offers features such as transactional updates, snapshots, and live migration among others. The project's name comes from the fact that it is a userspace interface for the kernel-based virtual filesystem (VFS).
To create a user space file system on top of an existing file system, a program called fusermount can be used. In contrast, when creating an overlay file system, or a copy of an existing one, the program umount is used.
Using FUSE filesystem in containers
The FUSE filesystem is an open-source interface for Unix, Linux and Mac systems to support file systems that may be mounted in user space. The CVE-2017-7518 vulnerability was discovered in the FUSE codebase. This vulnerability can be exploited by attackers to gain root access on a kernel-based system.
In order to mitigate this flaw, Red Hat has assigned the CVE-2017-7518 identifier to the flaw and recommends users of FUSE use the following command to disable write() on a specific type of file:
$ mount -noatime /dev/fuse /mnt/fuse/dev/tmp
FUSE is included within many Linux distributions such as Ubuntu and Debian. These distributions have already addressed this issue.
Summary of FUSE – 2019 update
The vulnerability in question, CVE-2017-7518, was disclosed on February 27th and is being updated by Red Hat as of March 31st. The vulnerability is a bug in the FUSE filesystem that could allow an attacker to overwrite any file on the system. Researcher Steve French discovered the bug and received credit for responsibly reporting it to Red Hat. The patch for this vulnerability has been published on March 31st, which fixes the flaw.
Timeline
Published on: 03/18/2022 18:15:00 UTC
Last modified on: 07/25/2022 18:19:00 UTC
References
- https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git/commit/?h=for-next
- https://bugzilla.redhat.com/show_bug.cgi?id=2064855
- https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html
- https://www.debian.org/security/2022/dsa-5173
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1011