Re: Malicious devices & vulnerabilties

[Eugene Teo <eugene () redhat com>]

On 01/09/2012 05:08 AM, Hanno Böck wrote:
> Am Sun, 8 Jan 2012 09:07:25 -0800 schrieb Greg KH
> <greg () kroah com>:
>
> > They should be considered buggy, yes, and as such, the kernel 
> > developers will fix any reported problems (or we should, if not, 
> > please let me know.)
> >
> > But note, as these almost always fall under the "you have
> > physical access" category, their security impact is generally
> > considered low.
>
> As far as publicly known, it's likely that Stuxnet was originally 
> spread via a security problem with USB.
>
> Also, I'd doubt the "physical access" category. It may just require
> a bit of social engineering ("I have the file you requested on this
> usb stick").
>
> Considering that I'd strongly disagree classifying such issues
> "low impact".
>
> At least for pluggable devices, I'd consider such issues rather 
> serious. It's another thing with PCI or other devices that require 
> significant work to attach to a piece of hardware.

If you are using cvss2, the flaw itself should have a low impact, and
how it will affect your environment may have a higher impact. See
http://www.first.org/cvss/cvss-guide.html#i2.3.

It's hard to give a single rating that can be applied to all scenarios
because obviously in some environments, this is not an issue, while in
other cases like public Internet kiosks, it can be a big headache.

Eugene