Date: Mon, 22 Aug 2016 17:24:49 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: Adam Maris <amaris@...hat.com>, Greg KH <greg@...ah.com>, cve-assign@...re.org, security@...nel.org Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Hi, This seems a bit sore topic, and Mitre does not want to chime in. Perhaps we need to add more criteria to select CVE assignment. - simple DOS (e.g. NULL ptr dereference) when plugging in: No CVE - code execution (use after free, write overflows) when plugging in: Assign CVE That said, this leaves malicious USB devices posing as regular keyboards for text injection unclassified ... Ciao, Marcus On Thu, Aug 18, 2016 at 09:50:24PM +0200, Willy Tarreau wrote: > On Thu, Aug 18, 2016 at 08:16:27PM +0200, Adam Maris wrote: > > Attacker doesn't necessarily need to have physical access to USB port. He > > can somehow > > hand USB off to the victim that will with good intentions stick it to his > > USB port, unexpectedly > > causing kernel panic. Difference is that one probably wouldn't pour glue or > > corrosive liquid > > into his USB port believing that nothing bad will happen. > > Well, it happened to me when I was a kid, with a PS/2 port. I handed off > a device to someone of trust to connect to the PS/2 port and parallel port. > (PS/2 to pick the +5V). I wired it wrong and the motherboard died, as > amazing as it seems and the person didn't find it fun as it was not his PC. > > So yes it can be done even without suspecting. It's easy to do whatever you > want using a USB stick. You can use the 3W it provides to charge a 300V > capacitor and discharge it on the D+/D- to test the clamping diodes > robustness, etc... > > Thus I don't think either that something "only causing a panic" deserves > a CVE. It needs to be fixed however, for sure! > > Regards, > Willy > -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ