Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 Jan 2012 09:38:01 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: Malicious devices & vulnerabilties

On 01/09/2012 05:08 AM, Hanno Bck wrote:
> Am Sun, 8 Jan 2012 09:07:25 -0800 schrieb Greg KH
> <greg@...ah.com>:
> 
>> They should be considered buggy, yes, and as such, the kernel 
>> developers will fix any reported problems (or we should, if not, 
>> please let me know.)
>> 
>> But note, as these almost always fall under the "you have
>> physical access" category, their security impact is generally
>> considered low.
> 
> As far as publicly known, it's likely that Stuxnet was originally 
> spread via a security problem with USB.
> 
> Also, I'd doubt the "physical access" category. It may just require
> a bit of social engineering ("I have the file you requested on this
> usb stick").
> 
> Considering that I'd strongly disagree classifying such issues
> "low impact".
> 
> At least for pluggable devices, I'd consider such issues rather 
> serious. It's another thing with PCI or other devices that require 
> significant work to attach to a piece of hardware.

If you are using cvss2, the flaw itself should have a low impact, and
how it will affect your environment may have a higher impact. See
http://www.first.org/cvss/cvss-guide.html#i2.3.

It's hard to give a single rating that can be applied to all scenarios
because obviously in some environments, this is not an issue, while in
other cases like public Internet kiosks, it can be a big headache.

Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ