Re: Physical access vulnerabilities and auto-mounting

["Steven M. Christey" <coley () rcf-smtp mitre org>]

On Wed, 23 Feb 2011, Steve Grubb wrote:

> However, this doesn't help in the scenario where you have a kiosk or 
> internet cafe and untrusted people walk up to machines.

I used to be reluctant to use this kind of scenario, but times have 
changed and kiosks/cafes are a rather common environment.  It seems 
reasonable for a system owner to expect that the simple insertion of a USB 
stick is not going to interfere with the operation of the host computer. 
The presence of auto-mounting doesn't seem to require "user-assistance" 
(i.e. careful social engineering) in the kiosk exploit scenario.  The 
attacker is the person with physical access trying to DoS the given 
machine in a less-detectable fashion than the "defenestration exploit," 
i.e., throwing the target computer out the window for a literal denial of 
service (crash).

Now, if you have to social-engineer some admin into running "mount" for 
you, then maybe that's a little too dependent on admin carelessness to get 
a CVE (might as well tell them to run "rm -rf" or "download and execute 
this program").

These bugs might have a very low impact due to attack complexity, but 
there is still a reasonable/realistic attack scenario, so technically it 
can be given a CVE.

- Steve