Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Sep 2015 17:49:53 -0700
From: Moein Ghasemzadeh <moein@...uary.com>
To: <oss-security@...ts.openwall.com>
Subject: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257

Hello,

We have discovered a vulnerability in a linux kernel module and would
like to inform you so that required actions could be taken.

Assigned CVE ID : CVE-2015-5257.

Below is the description of the vulnerability.

1. Software name and vendor name:
USB WhiteHEAT serial driver by ConnecTech in the Linux kernel
v3.19.0-28, but likely to exist in all kernel versions.

2. Type of vulnerability or attack outcome:

The vulnerability triggers a kernel NULL pointer dereference. It causes
the OS to freeze on many machines and requires a cold reboot, causing
denial of service.

3. A description of the affected code (e.g. the function name, the
vulnerable web page, link to the affected code, a bug entry, etc.):

The flaw exists in the "whiteheat_attach" function in
drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the
Linux kernel.
(http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19)


In the driver, the “COMMAND_PORT” variable is hard coded and is set to
“4” (5th element). So, the driver assumes that the number of ports
always will be 5 and takes the port number 5 as the command port. But,
using a specially made USB device in which the number of ports was set
to a number less than 5 (e.g. 3) we were able to perform Denial of
Service on the system due to a kernel NULL pointer dereference. The
system froze and requires a reboot.

You may find more information regarding the bug from the logs attached
to this email. Please let us know if you have any questions or concerns.

Thanks,
-- 
* Moein Ghasemzadeh *|  Security Researcher

Istuary Innovation Labs Inc.

800, 1125 Howe St., Vancouver V6Z 2K8, BC, Canada

Tel: 604.299.0388 ext 812 | Fax: 604.299.8003

www.istuary.com <http://www.istuary.com/>


View attachment "dmesg.txt" of type "text/plain" (65714 bytes)

View attachment "lspci.txt" of type "text/plain" (1895 bytes)

View attachment "lshw.txt" of type "text/plain" (16111 bytes)

View attachment "lscpu.txt" of type "text/plain" (725 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ