mailing list archives
Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Mar 2013 12:01:26 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
While perhaps a questionable action in many environments, attaching
a USB device is a common use case. The person attaching the device
has a reasonable expectation that code will NOT be executed, and
files will NOT be written outside the device, etc. without their
explicit permission or configuration. There is also a reasonable
expectation that the operation of the device will not perform
actions against the OS without implicit user permission.
So, scenario 1 would clearly require a CVE.
For other scenarios, it should be considered whether the
user/victim uses a "common" operation that is not obviously
dangerous. In scenario 3, clicking on a file in a USB device is a
common and reasonable operation, and unless that file is an
executable or otherwise automatically implies code execution, then
it is likely CVE-worthy if code execution, DoS, or some other
operation can be performed that is not within the intended
operation of the device.
I'm not sure I understand scenario 2 well enough to give direct
advice, but even if the user installing the USB is targeted instead
of the kernel, then it may qualify for a CVE.
-----Original Message----- From: Eugene Teo
[mailto:eugeneteo () kernel sg] Sent: Thursday, March 14, 2013 9:51
AM To: oss-security () lists openwall com Subject: Re:
[oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
overflow triggered by device
On Thursday, 14 March 2013, Marcus Meissner wrote:
I am wondering ... do we consider attacks with special attack
taylored USB devices as CVE worthy?
There is only some precedence in the CVE DB, but not much.
I stumbled over this fix from one of my colleagues where a
specifically made USB device reporting the "cdc-wdm" USB class
could cause a kernel heap overflow.
"Malicious attached devices" might fall into several
1. Attaching the device causes the issue directly within the
kernel / autoloaded module, without user interaction. (here the
2. Attaching the device causes the issue when userspace,
dependend on e.g. desktop system, does initiate a seperate
action (like an automount and then exploitation of something)
(so not direct a kernel, but a kernel + GNOME/KDE
A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----