The new version of NTFS-3G 2021.8.22 arrives fixing 21 vulnerabilities

After little more than four years since the last release, the new version of "NTFS-3G 2021.8.22" has been released  which includes an open source driver that operates in user space using the FUSE mechanism and a set of ntfsprogs utilities to manipulate NTFS partitions.

The driver supports reading and writing data on NTFS partitions and can run on a wide range of FUSE-supported operating systems, including Linux, Android, macOS, FreeBSD, NetBSD, OpenBSD, Solaris, QNX, and Haiku.

The driver-provided implementation of the NTFS file system It is fully compatible with Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and Windows 10. The ntfsprogs suite of utilities allows you to perform operations such as creating NTFS partitions, integrity checking, cloning, resizing, and recovering deleted files. The common components for working with NTFS used in the driver and utilities have been moved to a separate library.

Main new features of NTFS-3G 2021.8.22

The release of this new version of NTFS-3G 2021.8.22 stands out for correcting 21 vulnerabilities of which several of them can allow an attacker to use a maliciously crafted NTFS-formatted image file or external storage that can run arbitrary privileged code if the attacker has local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer that is configured to run the ntfs-3g binary or one of the ntfsprogs tools when external storage is connected to the computer.

These vulnerabilities are the result of incorrect validation of some of the NTFS metadata that could cause buffer overflows, which an attacker could exploit. The most common ways for attackers to gain physical access to a machine is through social engineering or an attack on an unattended computer.

Vulnerabilities were cataloged under the following CVE: CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE -2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE- 2021 -39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263

And the scores ranged from the lowest 3.9 to the highest 6.7, with which none of the vulnerabilities that were resolved were marked as high and required prompt attention.

On the other hand, of the changes that are not related to security in NTFS-3G 2021.8.22, we can find for example the fusion of the code bases of the stable and extended editions of NTFS-3G, with the transfer of project development to GitHub. In addition, this new version also includes bug fixes and compilation problems with previous versions of libfuse.

Separately, the Developers analyzed feedback on poor NTFS-3G performance and the analysis showed that performance issues are generally associated with the delivery of outdated versions of the project in distributions or using wrong default settings, such as mounting without the "big_writes" option, without which the file transfer speed decreases 3-4 times.

Based on testing by the development team, the performance of NTFS-3G lags behind ext4 by only 15-20%.

Finally, it is also worth mentioning that several weeks ago Linus Torvalds asked Paragon Software to submit the code to merge his new NTFS driver. At that time it was thought that the driver could be added in Linux 5.14-rc2, which did not happen, but it will be being integrated in the version of Linux 5.15

This was because to have full access to NTFS partitions from Linux, the FUSE NTFS-3g driver had to be used, which runs in user space and does not provide the desired performance.

Everything seemed to go to Paragon, but a few days ago, to Linus Torvalds He did not like the way in which Paragon sent the confirmation message for the merge of the code in the Kernel, for which he launched a series of comments criticizing this situation. If you want to know more about it, you can check the details In the following link.

Source: https://sourceforge.net/


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.