Re: Linux kernel: multiple vulnerabilities in the USB subsystem

[Solar Designer <solar () openwall com>]

On Mon, Nov 06, 2017 at 02:45:01PM +0100, Andrey Konovalov wrote:
> Below are the details for 14 vulnerabilities found with syzkaller in
> the Linux kernel USB subsystem. All of them can be triggered with a
> crafted malicious USB device in case an attacker has physical access
> to the machine.

Perhaps not only in that case, but also in case an attacker has remote
access to a USB device (perhaps most commonly via remote access to the
machine, with privileges to access the USB device) sufficient to replace
that device's firmware (thereby crafting a malicious device).

For example, many USB-connected FPGA boards, Bitcoin miners ("ASICs"),
etc. may reasonably be made available to a non-root user (such as via
udev rules), and they commonly permit microcontroller firmware update to
be performed via USB as well.  John the Ripper bleeding-jumbo currently
loads firmware into MCUs on ZTEX 1.15y boards at startup (if the
firmware in EEPROM is different), and we recommend running it as
non-root with udev rules setup to grant access to non-root users in
group "ztex" (this setup is described in doc/README-ZTEX).

Many mainstream devices (mice, etc.) probably permit firmware update via
USB as well.  Hopefully, it's uncommon to have them directly accessible
by non-root.

And no, I don't think these vulnerabilities should be a reason to run
programs as root instead of granting access to non-root.  Rather, this
is a reminder that by granting access we expose more of the kernel's
attack surface (and particularly fragile parts of it), so access should
be granted to sufficiently trusted (pseudo-)user accounts only.  Such
direct access is often also sufficient to backdoor or brick the devices,
which should be a concern anyway.

Alexander