Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
> While perhaps a questionable action in many environments, attaching
> a USB device is a common use case.  The person attaching the device
> has a reasonable expectation that code will NOT be executed, and
> files will NOT be written outside the device, etc. without their
> explicit permission or configuration.  There is also a reasonable
> expectation that the operation of the device will not perform
> actions against the OS without implicit user permission.
>
> So, scenario 1 would clearly require a CVE.
>
> For other scenarios, it should be considered whether the
> user/victim uses a "common" operation that is not obviously
> dangerous.  In scenario 3, clicking on a file in a USB device is a
> common and reasonable operation, and unless that file is an
> executable or otherwise automatically implies code execution, then
> it is likely CVE-worthy if code execution, DoS, or some other
> operation can be performed that is not within the intended
> operation of the device.
>
> I'm not sure I understand scenario 2 well enough to give direct
> advice, but even if the user installing the USB is targeted instead
> of the kernel, then it may qualify for a CVE.
>
> - Steve
>
>
> > -----Original Message----- From: Eugene Teo
> > [mailto:eugeneteo () kernel sg] Sent: Thursday, March 14, 2013 9:51
> > AM To: oss-security () lists openwall com Subject: Re:
> > [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
> > overflow triggered by device
> >
> > Hi Marcus,
> >
> > On Thursday, 14 March 2013, Marcus Meissner wrote:
> >
> > > Hi,
> > >
> > > I am wondering ... do we consider attacks with special attack
> > > taylored USB devices as CVE worthy?
> > >
> > > There is only some precedence in the CVE DB, but not much.
> > >
> > > I stumbled over this fix from one of my colleagues where a
> > > specifically made USB device reporting the "cdc-wdm" USB class
> > > could cause a kernel heap overflow.
> > >
> > > "Malicious attached devices" might fall into several
> > > categories:
> > >
> > > 1. Attaching the device causes the issue directly within the
> > > kernel / autoloaded module, without user interaction. (here the
> > > case)
> > >
> > >
> > > 2. Attaching the device causes the issue when userspace,
> > > dependend on e.g. desktop system, does initiate a seperate
> > > action (like an automount and then exploitation of something)
> > > (so not direct a kernel, but a kernel + GNOME/KDE
> > > interaction).

A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
exmaples too.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRQhB2AAoJEBYNRVNeJnmTAm0QAMxA5lF4uHGSMNVfsCoHUQAL
GsqR+rCy+KCH5FLCLcISSj9x6YdBegVHNjohJ308Z3gtb546GUQNIobqZNW1MjuL
ghk8+bPw8ZPQ2W22Fc6HrXGF1Aehy6minm2Icf/qADVf7NEz7A9TWWWu3FQmIL4k
bZot3upy9wbJNhmeGjegb0EpFaJlhE4L8xQgb6CM6aImNTVaJsvSpvAMhpjf0DLp
5j4EA6i3QWBDHYHCtLcoLQCiADmXAZceaDqSX4cJQqIlqm+2WwOMFwozlBBb8ItP
I4RtCepGVhxpI+G1s58uNj0J+GgMh6/UjmyxHvM2c16wYL6Dhb6FADGGpA5msY1W
rmdmrFRGr86kqVBwB5i7VOKvX7ALeVNN5sCOkkaavzRZpsGRsz2yc3KFm0VdH+n7
TqJIo16ozzmzFGiH2M+pZpp9MdYxshmBhwwNWtOJJSiTfRVi2gSznk1OtKMWjB9c
ocrRkaSbvjKrZ17yDs6Q7/BJC22SqevQhh9tKOw4ib5Pn48WxZEChHiYJAzY5n4L
c9iCLCNzpInV5Iy6IoBKkAZ+odQSPmho30s3HBTm+qRVrvEzn90wxanuQbV8rEKg
Y/Emtgj2Jb0ZTlLzNc4RFjOgWTD3Z1KObQfXvyKUeClOlSfc/eZD90vazQaCNjgt
2YFzg8XbHiSz9bzND0cl
=fIP2
-----END PGP SIGNATURE-----