Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Mar 2013 12:01:26 -0600
From: Kurt Seifried <>
CC: "Christey, Steven M." <>
Subject: Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer
 overflow triggered by device

Hash: SHA1

On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
> While perhaps a questionable action in many environments, attaching
> a USB device is a common use case.  The person attaching the device
> has a reasonable expectation that code will NOT be executed, and
> files will NOT be written outside the device, etc. without their
> explicit permission or configuration.  There is also a reasonable
> expectation that the operation of the device will not perform
> actions against the OS without implicit user permission.
> So, scenario 1 would clearly require a CVE.
> For other scenarios, it should be considered whether the
> user/victim uses a "common" operation that is not obviously
> dangerous.  In scenario 3, clicking on a file in a USB device is a
> common and reasonable operation, and unless that file is an
> executable or otherwise automatically implies code execution, then
> it is likely CVE-worthy if code execution, DoS, or some other
> operation can be performed that is not within the intended
> operation of the device.
> I'm not sure I understand scenario 2 well enough to give direct
> advice, but even if the user installing the USB is targeted instead
> of the kernel, then it may qualify for a CVE.
> - Steve
>> -----Original Message----- From: Eugene Teo
>> [] Sent: Thursday, March 14, 2013 9:51
>> AM To: Subject: Re:
>> [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
>> overflow triggered by device
>> Hi Marcus,
>> On Thursday, 14 March 2013, Marcus Meissner wrote:
>>> Hi,
>>> I am wondering ... do we consider attacks with special attack
>>> taylored USB devices as CVE worthy?
>>> There is only some precedence in the CVE DB, but not much.
>>> I stumbled over this fix from one of my colleagues where a
>>> specifically made USB device reporting the "cdc-wdm" USB class
>>> could cause a kernel heap overflow.
>>> "Malicious attached devices" might fall into several
>>> categories:
>>> 1. Attaching the device causes the issue directly within the
>>> kernel / autoloaded module, without user interaction. (here the
>>> case)
>>> 2. Attaching the device causes the issue when userspace,
>>> dependend on e.g. desktop system, does initiate a seperate
>>> action (like an automount and then exploitation of something)
>>> (so not direct a kernel, but a kernel + GNOME/KDE
>>> interaction).

A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
exmaples too.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.