Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 14 Mar 2013 12:01:26 -0600

Hash: SHA1

On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
While perhaps a questionable action in many environments, attaching
a USB device is a common use case.  The person attaching the device
has a reasonable expectation that code will NOT be executed, and
files will NOT be written outside the device, etc. without their
explicit permission or configuration.  There is also a reasonable
expectation that the operation of the device will not perform
actions against the OS without implicit user permission.

So, scenario 1 would clearly require a CVE.

For other scenarios, it should be considered whether the
user/victim uses a "common" operation that is not obviously
dangerous.  In scenario 3, clicking on a file in a USB device is a
common and reasonable operation, and unless that file is an
executable or otherwise automatically implies code execution, then
it is likely CVE-worthy if code execution, DoS, or some other
operation can be performed that is not within the intended
operation of the device.

I'm not sure I understand scenario 2 well enough to give direct
advice, but even if the user installing the USB is targeted instead
of the kernel, then it may qualify for a CVE.

- Steve

-----Original Message----- From: Eugene Teo
[mailto:eugeneteo () kernel sg] Sent: Thursday, March 14, 2013 9:51
AM To: oss-security () lists openwall com Subject: Re:
[oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
overflow triggered by device

Hi Marcus,

On Thursday, 14 March 2013, Marcus Meissner wrote:


I am wondering ... do we consider attacks with special attack
taylored USB devices as CVE worthy?

There is only some precedence in the CVE DB, but not much.

I stumbled over this fix from one of my colleagues where a
specifically made USB device reporting the "cdc-wdm" USB class
could cause a kernel heap overflow.

"Malicious attached devices" might fall into several

1. Attaching the device causes the issue directly within the
kernel / autoloaded module, without user interaction. (here the

2. Attaching the device causes the issue when userspace,
dependend on e.g. desktop system, does initiate a seperate
action (like an automount and then exploitation of something)
(so not direct a kernel, but a kernel + GNOME/KDE

A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
exmaples too.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]