CVE-2018-14722

Vulnerability

The vulnerability resides in the evaluate_auto_mountpoint function within btrfsmaintenance-functions of btrfsmaintenance up to version 0.4.1. A specially crafted filesystem label can cause code execution when the btrfs-{scrub,balance,trim} services are configured to auto in /etc/sysconfig/btrfsmaintenance. This configuration is not the default, as noted in the official description [4].

Exploitation

To exploit this, an attacker must be able to set a malicious filesystem label on a Btrfs filesystem, which typically requires either physical access, the ability to mount a crafted filesystem image, or some form of write access to the filesystem metadata. The attacker then triggers one of the affected btrfs-* services (scrub, balance, or trim) when they are set to auto. No user interaction is needed beyond mounting the crafted filesystem; the service will automatically evaluate the mountpoint label and execute the attacker-supplied payload [4].

Impact

Successful exploitation allows an attacker to execute arbitrary code with root privileges. This is a full compromise of the system, as the attacker gains the highest level of access, enabling them to install malware, modify system files, or exfiltrate data [4].

Mitigation

A fix was resolved in the SUSE bug tracker with status RESOLVED FIXED, though no specific version number is provided in the references [4]. Users should upgrade to the latest patched version of btrfsmaintenance as soon as possible. Until the fix is applied, ensure that btrfs-{scrub,balance,trim} are not set to auto in /etc/sysconfig/btrfsmaintenance, as this triggers the vulnerable code path. The official description confirms the default configuration is safe [4].