oss-sec mailing list archives

Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257

From: Moein Ghasemzadeh <moein () istuary com>
Date: Tue, 22 Sep 2015 17:49:53 -0700

Hello,

We have discovered a vulnerability in a linux kernel module and would
like to inform you so that required actions could be taken.

Assigned CVE ID : CVE-2015-5257.

Below is the description of the vulnerability.

1. Software name and vendor name:
USB WhiteHEAT serial driver by ConnecTech in the Linux kernel
v3.19.0-28, but likely to exist in all kernel versions.

2. Type of vulnerability or attack outcome:

The vulnerability triggers a kernel NULL pointer dereference. It causes
the OS to freeze on many machines and requires a cold reboot, causing
denial of service.

3. A description of the affected code (e.g. the function name, the
vulnerable web page, link to the affected code, a bug entry, etc.):

The flaw exists in the "whiteheat_attach" function in
drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
Linux kernel.
(http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19)


In the driver, the “COMMAND_PORT” variable is hard coded and is set to
“4” (5th element). So, the driver assumes that the number of ports
always will be 5 and takes the port number 5 as the command port. But,
using a specially made USB device in which the number of ports was set
to a number less than 5 (e.g. 3) we were able to perform Denial of
Service on the system due to a kernel NULL pointer dereference. The
system froze and requires a reboot.

You may find more information regarding the bug from the logs attached
to this email. Please let us know if you have any questions or concerns.

Thanks,
-- 
* Moein Ghasemzadeh *|  Security Researcher

Istuary Innovation Labs Inc.

800, 1125 Howe St., Vancouver V6Z 2K8, BC, Canada

Tel: 604.299.0388 ext 812 | Fax: 604.299.8003

www.istuary.com <http://www.istuary.com/>

Attachment: dmesg.txt
Description:

Attachment: lspci.txt
Description:

Attachment: lshw.txt
Description:

Attachment: lscpu.txt
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257 Moein Ghasemzadeh (Sep 22)
- Re: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257 Greg KH (Sep 22)
  - Re: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257 Greg KH (Sep 23)