Date: Tue, 23 Aug 2016 15:01:07 +0000 From: "Radzykewycz, T (Radzy)" <radzy@...driver.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> CC: Marcus Meissner <meissner@...e.de>, Adam Maris <amaris@...hat.com>, "Greg KH" <greg@...ah.com>, CVE ID Requests <cve-assign@...re.org>, "security@...nel.org" <security@...nel.org> Subject: RE: [security-vendor] Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices ________________________________________ > From: Kurt Seifried [kseifried@...hat.com] > Sent: Tuesday, August 23, 2016 7:21 AM > To: oss-security > Cc: Marcus Meissner; Adam Maris; Greg KH; CVE ID Requests; security@...nel.org > Subject: [security-vendor] Re: [oss-security] Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices > > On Mon, Aug 22, 2016 at 11:38 PM, Willy Tarreau <w@....eu> wrote: > > > > I'd classify it differently : something where a bug allows someone > > unauthorized to do something he couldn't do differently needs a CVE. > > That includes memory corruption, code execution, privilege increases, > > local DoS/panic/oops by just executing an exploit, etc. Here we're > > speaking about someone plugging some hardware into an open port which > > immediately takes the whole system down. Sure, the faulty code makes > > this possible. But the hardware is purposely designed for this. I can > > also design some hardware which takes the system down and possibly even > > fries it without involving the code at all. So once this device is > > built, if we assign a CVE, nobody will fix it and it will not even > > apply to any specific OS. Oh, after just one Google request I found > > that I was not the first one to think about it, it already exists : > > > > http://arstechnica.com/security/2015/10/usb-killer- > > flash-drive-can-fry-your-computers-innards-in-seconds/ > > > > Ah but defending against this sort of physical attack is actually quite > easy, use a USB hub, or for higher assurance use a wireless USB hub. TBH > I'm not sure what the difference is between say the above USB killer and a > small taser or a small squirt bottle of saline solution. If an attacker drops a bottle of saline solution on the floor outside the target's office, it's unlikely to be plugged in to the USB port. Enjoy! -- radzy > In general I should be able to plug USB devices into a computer without the > computer succumbing to software based attacks (stuxnet anyone?). > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ