
Linux kernel: multiple vulnerabilities in the USB subsystem - stablemap
http://www.openwall.com/lists/oss-security/2017/11/06/8
======
mschuster91
Wonder how much of these bugs _remain_ hidden away in the modern kernels. USB
and Thunderbolt (which is also carrying PCIe in some modes) and for what it's
worth USB-C which can ALSO carry PCIe, in addition to DisplayPort, HDMI and
whatnotelse have grown enormously complex.

To make matters worse, I guess there are ways for the USB slave device to
fingerprint the OS (or: hardware!) running on the host... something like a
"pwn me" USB stick working on all three major platforms (OS X, Linux, Windows)
or game consoles is certainly possible. And I can perfectly imagine that there
are ways to exploit the actual USB controller hardware, which gives unfettered
memory access.

~~~
majidazimi
Considering scientific statistics, which says there are 0.5 to 25 bugs per
KLoC in delivered software, we are really lucky that stuff still work... :D

~~~
kurtisc
Assuming 0.5 rounds down, that seems like an essentially useless statistic. If
you deliver a randomised binary that just doesn't run, does that count as more
than one bug?

~~~
colejohnson66
0.5 rounds up though...

~~~
kurtisc
Only for 2/5 IEEE 754 rounding methods!

What's 0.5 of a bug, anyway?

~~~
dsr_
A full bug, but it takes two thousand lines of code to surface.

------
gpm
Looks like there were all found by google doing fuzzing, cool!

~~~
agumonkey
Very regularly fuzzing uncover a few bugs, impressive.

------
easytiger
These are all DOS attacks ( that require a crafted USB device and physical
access. At which point i guess you could just powerdown. Only if chained with
another vuln, (e.g. access to iLO) could you actually do anything.

~~~
inetknght
> or possibly have unspecified other impact

> use-after-free and system crash

> general protection fault and system crash

> out-of-bounds read and system crash

> NULL pointer dereference and system crash

I don't know about you, but I think a smart person could figure out how to
abuse these to get data out of my machine.

~~~
easytiger
How? They have non privileged logical access as well as physical access to the
host?

~~~
inetknght
Not sure where you're coming up with non privileged logical access. The
vulnerabilities are in the _kernel_. The kernel is very much privileged.

------
etqwzutewzu
TLDR: severity is denial of service (as of today) for all of them

~~~
staticassertion
But if you actually read the descriptions there are plenty that look like
they'd have great potential for code execution.

------
kurtisc
Are there any situations where this would be a vulnerability but using a USB
device as a HID would not?

------
jimrandomh
Note that "crafted USB device" is a bigger attack vector than it sounds like;
if paired with vulnerabilities in USB devices themselves, you can have hosts
that infect USB devices and USB devices to make them infect other hosts.

------
sengork
FireWire used to be a similar basket case. Don't think the firmware/drivers
got fixed, instead it became an obsolete hardware port and replaced by
TB/USB/etc...

------
fauigerzigerk
Apparently, these are all denial of service attacks using a specially crafted
USB device that you have to physically insert into the Linux machine.

Pulling the plug sounds easier :)

~~~
digi_owl
[https://wicg.github.io/webusb/](https://wicg.github.io/webusb/)

~~~
geofft
I don't think that's relevant - WebUSB exposes physical USB devices on the
local machine to code running inside the browser. It does not allow code
running inside the browser to access the host USB stack as if it were a
physical device (in order to emulate a USB device, forward one across the web,
etc.).

------
tomc1985
These fixes will be backported to longterm kernel versions right?

------
rini17
AFAIK grsecurity allows to disable USB completely after boot, which should
avoid many of these problems. Is there another similar solution?

~~~
jlgaddis
Blacklist the various USB modules? Or disable USB in BIOS?

------
bweston92
You can do anything with physical access anyway.

~~~
bluGill
True, but with these bugs it doesn't have to be the attacker that personally
has physical access to the target machine. For secure sites the attacker may
not be able to get past security, but if the device is innocent enough it
might.

If you are a secure site you need to oversee the manufacture of all your USB
cables, otherwise you don't know that someone hasn't put an attack into the
cables you ordered.

------
ky738
This is one of the many reasons why the kernel should have been written in
Rust.

~~~
pornel
Joking aside, is there any hope of Linux doing _anything_ else than just
continuing to use C forever and using verbal abuse of patch submitters as the
only safety layer?

~~~
marcosdumay
There's hope we move from Linux some day, into something with access controls
between parts of the OS.

But Linux will be in C forever.

