oss-sec mailing list archives
Re: Linux kernel: multiple vulnerabilities in the USB subsystem
From: Solar Designer <solar () openwall com>
Date: Wed, 8 Nov 2017 13:05:38 +0100
On Mon, Nov 06, 2017 at 02:45:01PM +0100, Andrey Konovalov wrote:
Below are the details for 14 vulnerabilities found with syzkaller in the Linux kernel USB subsystem. All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.
Perhaps not only in that case, but also in case an attacker has remote access to a USB device (perhaps most commonly via remote access to the machine, with privileges to access the USB device) sufficient to replace that device's firmware (thereby crafting a malicious device). For example, many USB-connected FPGA boards, Bitcoin miners ("ASICs"), etc. may reasonably be made available to a non-root user (such as via udev rules), and they commonly permit microcontroller firmware update to be performed via USB as well. John the Ripper bleeding-jumbo currently loads firmware into MCUs on ZTEX 1.15y boards at startup (if the firmware in EEPROM is different), and we recommend running it as non-root with udev rules setup to grant access to non-root users in group "ztex" (this setup is described in doc/README-ZTEX). Many mainstream devices (mice, etc.) probably permit firmware update via USB as well. Hopefully, it's uncommon to have them directly accessible by non-root. And no, I don't think these vulnerabilities should be a reason to run programs as root instead of granting access to non-root. Rather, this is a reminder that by granting access we expose more of the kernel's attack surface (and particularly fragile parts of it), so access should be granted to sufficiently trusted (pseudo-)user accounts only. Such direct access is often also sufficient to backdoor or brick the devices, which should be a concern anyway. Alexander
Current thread:
- Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 06)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 08)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Dec 12)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Solar Designer (Nov 08)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem Andrey Konovalov (Nov 08)