oss-sec mailing list archives
Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2
From: Eddie Chapman <eddie () ehuk net>
Date: Thu, 22 Aug 2019 19:44:50 +0100
On 22/08/2019 18:57, Perry E. Metzger wrote:
Android phones run Linux. People routinely plug those phones in to USB charging stations in airports, on airplanes, at booths in public places, etc. Perry
I would argue that this kind of behaviour is far too trusting and asking for trouble. Should we request a CVE for foolish user behaviour? Yes, USB was designed to make it easy be able to plug/unplug devices without having to open your device up, but it doesn't mean people should do stupid things with it. Ok there are different levels of risk, you can never be totally sure if any device is safe unless you open it up and start examining. If it is a dumb charger or you know the person who supplies you with a more sophisticated charging device (either a manufacturer you trust you bought it from or a friend you trust obtained the device from a trusted manufacturer) then the risk is lower, but not eliminated completely.
If I designed a box with PCIe slots on the outside of the case, would you go around plugging in random circuit boards into it if they were available at an airport and provided some useful function? I would not. Whatever interface it is I will only plug it in if I have some reasonable level of confidence about the device. Or maybe people have already started reviewing the kernel code looking for ways in which a malicious PCIe device could own the system.
Current thread:
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2, (continued)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Brad Spengler (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Marcus Meissner (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Perry E. Metzger (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Jeremy Stanley (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 John Haxby (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Kurt H Maier (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Eddie Chapman (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Perry E. Metzger (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Eddie Chapman (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Mathias Payer (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Stuart D. Gathman (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Perry E. Metzger (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Eddie Chapman (Aug 22)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Greg KH (Aug 23)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Andrey Konovalov (Sep 27)
- Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 Tyler Hicks (Sep 27)