Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 16:55:42 -0400
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: meissner@...e.de, cve-assign@...re.org
Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when
 plugging in malicious USB devices

On Mon, Aug 22, 2016 at 02:37:17PM -0400, cve-assign@...re.org wrote:
> There has been a related CVE for five years (CVE-2011-0640), although
> selecting udev as the responsible component was probably not the right
> approach, and maybe that CVE should be updated or rejected. We think
> the current understanding, very roughly, is:

Yes, udev isn't the correct place for it, but I really don't know what
would be.  What "tool" was assigned this CVE for other operating systems
that do the same thing (all BSDs, OS-X, Windows, etc.)?

> 
>   - the Linux kernel does not require a configuration in which a newly
>     connected USB device is recognized in any way

I don't understand this statement, can you clarify?

The Linux kernel has a configuration that does not allow any USB devices
to work, unless explicitly granted permission to do so by a userspace
tool.  The device will be enumerated, but that is all, it is up to
userspace to then tell the kernel to actually "use" the device.
This feature has been present at the USB "device" level for quite some
time, and at the USB "interface" level now for I think over a year (can
dig it out if people really care, the work was done by someone from
SuSE.)

Also, all Wireless USB devices operate in this manner "by default" for
as long as Linux has supported Wireless USB devices (thankfully these
devices are really rare.)

>   - a Linux distribution may ship with a default configuration in
>     which a newly connected USB device can operate as a keyboard and
>     inject text into an application

Yes, but I don't understand, perhaps what you really mean to say is:
	A Linux distribution may ship with a default configuration of
	trusting all new devices that are plugged in without any form of
	userspace authentication before they begin to operate.

>   - some Linux distributions want to have this behavior, and their
>     maintainers have concluded that there is no comprehensive method
>     for "asking a user" about a new USB device in a way that is
>     compatible with all use cases

Huh?  There is such a method, Linux has supported this for a very long
time (see above.)   It's up to the distro to decide to use it or not,
that's their choice (hint, I don't blame them for making this choice,
it's what almost all users expect and want as well...)

>   - if anyone (whether a Linux distribution or other type of product)
>     is announcing a required security update, in which software or
>     configuration is being changed to address malicious keyboard
>     attacks, then we can assign a CVE ID to associate with the update
>     announcement

Why would a CVE be needed for a "my distro decides to not trust USB
devices as much as your distro does" type decision?  This is just a
matter of how a distribution configures their kernel, combined with
their decision of how to deal with new USB devices.  Perhaps you could
argue that some of those decisions might be "more secure" than others,
but I don't see a "bug" that is resolved by deciding about this one way
or the other, do you?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.