Bug 1190606 - (CVE-2021-3802) VUL-0: CVE-2021-3802: udisks2: udisks2: insecure defaults in user-accessible mount helpers allow for a DoS
(CVE-2021-3802)
VUL-0: CVE-2021-3802: udisks2: udisks2: insecure defaults in user-accessible ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Thomas Blume
Security Team bot
https://smash.suse.de/issue/310083/
CVSSv3.1:SUSE:CVE-2021-3802:4.2:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-17 13:23 UTC by Gabriele Sonnu
Modified: 2022-09-22 09:34 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-09-17 13:23:17 UTC
Several user-accessible mount helpers use insecure defaults which allow ext2/3/4 file systems to cause a denial of service (kernel panic) upon mounting a crafted image.  This is especially relevant when mounts can be caused by unprivileged users or are configured to happen automatically and completely unauthorized.

External Reference:

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-045.txt

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2003649
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3802
Comment 1 Gabriele Sonnu 2021-09-17 13:23:45 UTC
No details as of 2021-09-17
Comment 4 Gabriele Sonnu 2021-10-26 12:26:25 UTC
Details are now public [0]. 

Upstream fix [1] can only be applied to the 2.9.x branch, but seems that older versions are also affected, as using the reproducer in SLE12 and SLE15 VMs hangs the system.
Tracking as affected:

- SUSE:SLE-12:Update udisks2      2.1.3
- SUSE:SLE-15-SP2:Update udisks2  2.8.1
- SUSE:SLE-15:Update udisks2      2.6.5
- openSUSE:Factory udisks2        2.9.2


[0] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-045.txt
[1] https://github.com/storaged-project/udisks/commit/93f440c8409eec28739efb1598874543267b8d1e
Comment 5 Thomas Leroy 2022-05-05 08:37:03 UTC
SUSE:SLE-15-SP4:Update is also affected.
Comment 6 Thomas Blume 2022-05-09 16:22:57 UTC
(In reply to Thomas Leroy from comment #5)
> SUSE:SLE-15-SP4:Update is also affected.

Thanks for the hint, I've submitted to 15SP4.
Comment 8 Swamp Workflow Management 2022-06-02 13:24:30 UTC
SUSE-SU-2022:1919-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190606
CVE References: CVE-2021-3802
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    udisks2-2.9.2-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    udisks2-2.9.2-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Thomas Blume 2022-06-02 13:58:47 UTC
updates are release, reassigning to security team to wrap it up
Comment 10 Hu 2022-08-30 14:05:25 UTC
I think this is still missing in:
SUSE:SLE-12:Update
SUSE:SLE-15:Update
SUSE:SLE-15-SP2:Update 

Could you have a look and submit there?
Comment 11 Thomas Blume 2022-09-01 10:21:21 UTC
(In reply to Hu from comment #10)
> I think this is still missing in:
> SUSE:SLE-12:Update
> SUSE:SLE-15:Update
> SUSE:SLE-15-SP2:Update 
> 
> Could you have a look and submit there?

According to: https://www.suse.com/lifecycle, these versions are out of general support.
That means only critical security issues will be fixed.
According to: https://www.suse.com/support/kb/doc/?id=000018318 a denial of service attack is a moderate security issue.

The config file parser for the upstream patch was introduced with udisks-2.9.0.
Older versions don't have default mount options for ext2/3/4 at all.
Therefore, unexpected side effects of a backport are very possible.
Furthermore, introducing that now into the old versions will change the behaviour and the user experience.

I can try the backport to SLE15SP3, which is still under general support but for the older SLE versions, I deem it not feasible.

Gabriele, do you agree?
Comment 17 Swamp Workflow Management 2022-09-07 16:29:58 UTC
SUSE-SU-2022:3154-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1098797,1190606
CVE References: CVE-2021-3802
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    udisks2-2.8.1-150200.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    udisks2-2.8.1-150200.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-09-07 16:31:08 UTC
SUSE-SU-2022:3160-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1098797,1190606
CVE References: CVE-2021-3802
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    udisks2-2.1.3-3.8.1
SUSE OpenStack Cloud 9 (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    udisks2-2.1.3-3.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    udisks2-2.1.3-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Thomas Leroy 2022-09-22 09:34:26 UTC
Released, closing