Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 17:24:49 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Adam Maris <amaris@...hat.com>, Greg KH <greg@...ah.com>,
	cve-assign@...re.org, security@...nel.org
Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when
 plugging in malicious USB devices

Hi,

This seems a bit sore topic, and Mitre does not want to chime in.

Perhaps we need to add more criteria to select CVE assignment.

- simple DOS (e.g. NULL ptr dereference) when plugging in: No CVE
- code execution (use after free, write overflows) when plugging in: Assign CVE


That said, this leaves malicious USB devices posing as regular keyboards 
for text injection unclassified ... 

Ciao, Marcus

On Thu, Aug 18, 2016 at 09:50:24PM +0200, Willy Tarreau wrote:
> On Thu, Aug 18, 2016 at 08:16:27PM +0200, Adam Maris wrote:
> > Attacker doesn't necessarily need to have physical access to USB port. He
> > can somehow
> > hand USB off to the victim that will with good intentions stick it to his
> > USB port, unexpectedly
> > causing kernel panic. Difference is that one probably wouldn't pour glue or
> > corrosive liquid
> > into his USB port believing that nothing bad will happen.
> 
> Well, it happened to me when I was a kid, with a PS/2 port. I handed off
> a device to someone of trust to connect to the PS/2 port and parallel port.
> (PS/2 to pick the +5V). I wired it wrong and the motherboard died, as
> amazing as it seems and the person didn't find it fun as it was not his PC.
> 
> So yes it can be done even without suspecting. It's easy to do whatever you
> want using a USB stick. You can use the 3W it provides to charge a 300V
> capacitor and discharge it on the D+/D- to test the clamping diodes
> robustness, etc...
> 
> Thus I don't think either that something "only causing a panic" deserves
> a CVE. It needs to be fixed however, for sure!
> 
> Regards,
> Willy
> 

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ