CCE-95018-8| Platform: cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2020-10-15 (M)2023-09-01 |
The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.
Options Explained:
disable - would disable the module.
disable with error logged - would disable the module and log whenever module is inserted.
enable - would enable the module.
Rationale:
Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.
Fix:
Edit or create the file /etc/modprobe.d/squashfs.conf and add the following line:
install squashfs /bin/true
Parameter:
[disable/disable with error logged/enable]
Technical Mechanism:
Edit or create the file /etc/modprobe.d/squashfs.conf and add the following line:
install squashfs /bin/true
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 5.9 | Attack Vector: PHYSICAL |
| Exploit Score: 0.7 | Attack Complexity: LOW |
| Impact Score: 5.2 | Privileges Required: LOW |
| Severity: MEDIUM | User Interaction: NONE |
| Vector: AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: NONE |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87329 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:66002 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92349 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85096 |
