CVE-2020-36322 Overview
An issue was discovered in the FUSE (Filesystem in Userspace) filesystem implementation in the Linux kernel before version 5.10.6, tracked as CID-5d069dbe8aaf. The vulnerability exists in the fuse_do_getattr() function which inappropriately calls make_bad_inode() in certain situations, leading to a system crash and denial of service condition. This vulnerability allows a local authenticated attacker to cause system instability and crash the affected system.
Critical Impact
Local attackers can exploit improper inode handling in the FUSE filesystem to crash the Linux kernel, causing denial of service. Note that the original fix was incomplete and tracked separately as CVE-2021-28950.
Affected Products
- Linux Kernel (versions before 5.10.6)
- Debian Linux 9.0 and 10.0
- StarWind Virtual SAN 8 (build 14338)
Discovery Timeline
- 2021-04-14 - CVE-2020-36322 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36322
Vulnerability Analysis
This vulnerability stems from incomplete cleanup (CWE-459) in the Linux kernel's FUSE filesystem implementation. The FUSE subsystem allows non-privileged users to create their own file systems without modifying kernel code by running filesystem code in userspace. When the fuse_do_getattr() function encounters specific error conditions during attribute retrieval operations, it incorrectly invokes the make_bad_inode() function. This function marks an inode as "bad" and is intended for situations where filesystem corruption is detected. However, when called inappropriately during normal error handling paths, it can lead to kernel panic or system crash.
The vulnerability affects the core kernel filesystem handling, making any system using FUSE-based filesystems potentially vulnerable. Common FUSE implementations include SSHFS, EncFS, NTFS-3G, and various cloud storage mount utilities.
Root Cause
The root cause lies in the improper error handling within the fuse_do_getattr() function. When this function fails to retrieve file attributes under certain conditions, it incorrectly marks the inode as bad using make_bad_inode(). This inappropriate state transition corrupts the inode's state machine, leading to subsequent operations on that inode triggering kernel assertions or null pointer dereferences, ultimately causing a system crash. The incomplete cleanup of inode state during error conditions represents a classic instance of CWE-459 (Incomplete Cleanup).
Attack Vector
The attack vector is local, requiring an authenticated user with the ability to interact with a FUSE-mounted filesystem. An attacker can trigger the vulnerability by performing specific filesystem operations that cause fuse_do_getattr() to encounter the vulnerable error handling path. This could involve:
- Mounting a malicious FUSE filesystem that returns crafted error responses
- Performing attribute queries on files during specific race conditions
- Exploiting the FUSE daemon to return unexpected error codes during getattr operations
The vulnerability can be exploited by a local unprivileged user to crash the system, resulting in denial of service. Since FUSE allows user-space filesystem implementations, an attacker with local access could craft a malicious FUSE daemon that deliberately triggers the vulnerable code path.
Detection Methods for CVE-2020-36322
Indicators of Compromise
- Unexpected kernel panics or system crashes related to FUSE filesystem operations
- Kernel log messages referencing fuse_do_getattr or bad inode errors
- Repeated system instability when accessing FUSE-mounted filesystems
- Core dumps indicating crashes in the FUSE subsystem
Detection Strategies
- Monitor kernel logs for FUSE-related error messages and inode corruption warnings
- Implement system monitoring to detect unexpected kernel panics or reboots
- Audit FUSE mount points and associated user-space daemons for suspicious activity
- Deploy endpoint detection solutions capable of identifying kernel-level anomalies
Monitoring Recommendations
- Enable kernel crash dump analysis to capture evidence of exploitation attempts
- Monitor for unusual FUSE mount/unmount activity from non-administrative users
- Implement file integrity monitoring on critical system files
- Configure alerting for repeated system crashes within short time periods
How to Mitigate CVE-2020-36322
Immediate Actions Required
- Update the Linux kernel to version 5.10.6 or later to apply the security fix
- Apply vendor-specific patches for Debian Linux and StarWind Virtual SAN
- Consider restricting FUSE mount privileges to trusted users only
- Monitor systems for signs of exploitation until patches can be applied
Patch Information
The vulnerability has been addressed in Linux kernel version 5.10.6. The fix is tracked via commit 5d069dbe8aaf2a197142558b6fb2978189ba3454 in the Linux kernel Git repository. Users should update to the patched kernel version through their distribution's package management system. Note that the original fix was incomplete, and users should also address CVE-2021-28950 which tracks the incomplete nature of this fix.
For Debian users, security updates are available through Debian Security Advisory DSA-5096 and the Debian LTS announcements. StarWind Virtual SAN users should consult the StarWind Security Advisory for specific remediation guidance.
Workarounds
- Restrict access to FUSE filesystem functionality using system security policies
- Disable FUSE module loading if not required: echo "install fuse /bin/false" >> /etc/modprobe.d/disable-fuse.conf
- Implement strict user access controls to limit who can mount FUSE filesystems
- Use SELinux or AppArmor policies to restrict FUSE operations to trusted applications
# Restrict FUSE mount capabilities to root only
chmod 0700 /dev/fuse
# Alternatively, disable FUSE module loading
echo "blacklist fuse" >> /etc/modprobe.d/blacklist.conf
modprobe -r fuse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
