Multiple vulnerabilities in F2fs-Tools F2fs.Fsck
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2020-6104 CVE-2020-6108 CVE-2020-6107 CVE-2020-6106 CVE-2020-6105 |
| CWE-ID | CWE-125 CWE-787 CWE-200 CWE-73 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
F2fs.Fsck Other software / Other software solutions |
| Vendor | F2fs-Tools |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU47656
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-6104
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the "get_dnode_of_data" functionality. A local administrator can use a specially crafted f2fs filesystem, trigger out-of-bounds read error and read contents of memory on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsF2fs.Fsck: 1.13
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1046
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU47660
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-6108
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a boundary error in the "fsck_chk_orphan_node" functionality. A local administrator can use a specially crafted f2fs filesystem, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsF2fs.Fsck: 1.13
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1050
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU47659
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-6107
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the "dev_read" functionality. A local administrator can use a specially crafted f2fs filesystem and gain unauthorized access to sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsF2fs.Fsck: 1.13
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1049
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU47658
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-6106
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the "init_node_manager" functionality. A local administrator can use a specially crafted filesystem, trigger out-of-bounds read error and read contents of memory on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsF2fs.Fsck: 1.12 - 1.13
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1048
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) External Control of File Name or Path
EUVDB-ID: #VU47657
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-6105
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a local user to delete arbitrary files.
The vulnerability exists due to application allows an attacker to control path of the files to delete in the multiple devices functionality. A local administrator can use a specially crafted f2fs filesystem and delete arbitrary files on the system, leading to arbitrary code execution.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsF2fs.Fsck: 1.13
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1047
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
