oss-sec mailing list archives
Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Mar 2013 12:01:26 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
While perhaps a questionable action in many environments, attaching a USB device is a common use case. The person attaching the device has a reasonable expectation that code will NOT be executed, and files will NOT be written outside the device, etc. without their explicit permission or configuration. There is also a reasonable expectation that the operation of the device will not perform actions against the OS without implicit user permission. So, scenario 1 would clearly require a CVE. For other scenarios, it should be considered whether the user/victim uses a "common" operation that is not obviously dangerous. In scenario 3, clicking on a file in a USB device is a common and reasonable operation, and unless that file is an executable or otherwise automatically implies code execution, then it is likely CVE-worthy if code execution, DoS, or some other operation can be performed that is not within the intended operation of the device. I'm not sure I understand scenario 2 well enough to give direct advice, but even if the user installing the USB is targeted instead of the kernel, then it may qualify for a CVE. - Steve-----Original Message----- From: Eugene Teo [mailto:eugeneteo () kernel sg] Sent: Thursday, March 14, 2013 9:51 AM To: oss-security () lists openwall com Subject: Re: [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Hi Marcus, On Thursday, 14 March 2013, Marcus Meissner wrote:Hi, I am wondering ... do we consider attacks with special attack taylored USB devices as CVE worthy? There is only some precedence in the CVE DB, but not much. I stumbled over this fix from one of my colleagues where a specifically made USB device reporting the "cdc-wdm" USB class could cause a kernel heap overflow. "Malicious attached devices" might fall into several categories: 1. Attaching the device causes the issue directly within the kernel / autoloaded module, without user interaction. (here the case) 2. Attaching the device causes the issue when userspace, dependend on e.g. desktop system, does initiate a seperate action (like an automount and then exploitation of something) (so not direct a kernel, but a kernel + GNOME/KDE interaction).
A contrived example: you plug in a (fake) evil GPS device which causes the system to go "oh a GPS device, I'll start up the GPS service, if said GPS service had a buffer overflow in handling the data sent by the evil (fake) GPS device could send data that causes code execution. I know this example (plug GPS device in, GPS service starts) works in Fedora by default for a few years now. I'm sure there are other exmaples too. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRQhB2AAoJEBYNRVNeJnmTAm0QAMxA5lF4uHGSMNVfsCoHUQAL GsqR+rCy+KCH5FLCLcISSj9x6YdBegVHNjohJ308Z3gtb546GUQNIobqZNW1MjuL ghk8+bPw8ZPQ2W22Fc6HrXGF1Aehy6minm2Icf/qADVf7NEz7A9TWWWu3FQmIL4k bZot3upy9wbJNhmeGjegb0EpFaJlhE4L8xQgb6CM6aImNTVaJsvSpvAMhpjf0DLp 5j4EA6i3QWBDHYHCtLcoLQCiADmXAZceaDqSX4cJQqIlqm+2WwOMFwozlBBb8ItP I4RtCepGVhxpI+G1s58uNj0J+GgMh6/UjmyxHvM2c16wYL6Dhb6FADGGpA5msY1W rmdmrFRGr86kqVBwB5i7VOKvX7ALeVNN5sCOkkaavzRZpsGRsz2yc3KFm0VdH+n7 TqJIo16ozzmzFGiH2M+pZpp9MdYxshmBhwwNWtOJJSiTfRVi2gSznk1OtKMWjB9c ocrRkaSbvjKrZ17yDs6Q7/BJC22SqevQhh9tKOw4ib5Pn48WxZEChHiYJAzY5n4L c9iCLCNzpInV5Iy6IoBKkAZ+odQSPmho30s3HBTm+qRVrvEzn90wxanuQbV8rEKg Y/Emtgj2Jb0ZTlLzNc4RFjOgWTD3Z1KObQfXvyKUeClOlSfc/eZD90vazQaCNjgt 2YFzg8XbHiSz9bzND0cl =fIP2 -----END PGP SIGNATURE-----
Current thread:
- CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Marcus Meissner (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Eugene Teo (Mar 14)
- RE: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Christey, Steven M. (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Kurt Seifried (Mar 14)
- RE: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Christey, Steven M. (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Petr Matousek (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Kurt Seifried (Mar 14)
- Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device Eugene Teo (Mar 14)