Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 Mar 2013 12:01:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Christey, Steven M." <coley@...re.org>
Subject: Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer
 overflow triggered by device

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/14/2013 11:36 AM, Christey, Steven M. wrote:
> While perhaps a questionable action in many environments, attaching
> a USB device is a common use case.  The person attaching the device
> has a reasonable expectation that code will NOT be executed, and
> files will NOT be written outside the device, etc. without their
> explicit permission or configuration.  There is also a reasonable
> expectation that the operation of the device will not perform
> actions against the OS without implicit user permission.
> 
> So, scenario 1 would clearly require a CVE.
> 
> For other scenarios, it should be considered whether the
> user/victim uses a "common" operation that is not obviously
> dangerous.  In scenario 3, clicking on a file in a USB device is a
> common and reasonable operation, and unless that file is an
> executable or otherwise automatically implies code execution, then
> it is likely CVE-worthy if code execution, DoS, or some other
> operation can be performed that is not within the intended
> operation of the device.
> 
> I'm not sure I understand scenario 2 well enough to give direct
> advice, but even if the user installing the USB is targeted instead
> of the kernel, then it may qualify for a CVE.
> 
> - Steve
> 
> 
>> -----Original Message----- From: Eugene Teo
>> [mailto:eugeneteo@...nel.sg] Sent: Thursday, March 14, 2013 9:51
>> AM To: oss-security@...ts.openwall.com Subject: Re:
>> [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer
>> overflow triggered by device
>> 
>> Hi Marcus,
>> 
>> On Thursday, 14 March 2013, Marcus Meissner wrote:
>> 
>>> Hi,
>>> 
>>> I am wondering ... do we consider attacks with special attack
>>> taylored USB devices as CVE worthy?
>>> 
>>> There is only some precedence in the CVE DB, but not much.
>>> 
>>> I stumbled over this fix from one of my colleagues where a
>>> specifically made USB device reporting the "cdc-wdm" USB class
>>> could cause a kernel heap overflow.
>>> 
>>> "Malicious attached devices" might fall into several
>>> categories:
>>> 
>>> 1. Attaching the device causes the issue directly within the
>>> kernel / autoloaded module, without user interaction. (here the
>>> case)
>>> 
>>> 
>>> 2. Attaching the device causes the issue when userspace,
>>> dependend on e.g. desktop system, does initiate a seperate
>>> action (like an automount and then exploitation of something)
>>> (so not direct a kernel, but a kernel + GNOME/KDE
>>> interaction).

A contrived example: you plug in a (fake) evil GPS device which causes
the system to go "oh a GPS device, I'll start up the GPS service, if
said GPS service had a buffer overflow in handling the data sent by
the evil (fake) GPS device could send data that causes code execution.
I know this example (plug GPS device in, GPS service starts) works in
Fedora by default for a few years now. I'm sure there are other
exmaples too.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRQhB2AAoJEBYNRVNeJnmTAm0QAMxA5lF4uHGSMNVfsCoHUQAL
GsqR+rCy+KCH5FLCLcISSj9x6YdBegVHNjohJ308Z3gtb546GUQNIobqZNW1MjuL
ghk8+bPw8ZPQ2W22Fc6HrXGF1Aehy6minm2Icf/qADVf7NEz7A9TWWWu3FQmIL4k
bZot3upy9wbJNhmeGjegb0EpFaJlhE4L8xQgb6CM6aImNTVaJsvSpvAMhpjf0DLp
5j4EA6i3QWBDHYHCtLcoLQCiADmXAZceaDqSX4cJQqIlqm+2WwOMFwozlBBb8ItP
I4RtCepGVhxpI+G1s58uNj0J+GgMh6/UjmyxHvM2c16wYL6Dhb6FADGGpA5msY1W
rmdmrFRGr86kqVBwB5i7VOKvX7ALeVNN5sCOkkaavzRZpsGRsz2yc3KFm0VdH+n7
TqJIo16ozzmzFGiH2M+pZpp9MdYxshmBhwwNWtOJJSiTfRVi2gSznk1OtKMWjB9c
ocrRkaSbvjKrZ17yDs6Q7/BJC22SqevQhh9tKOw4ib5Pn48WxZEChHiYJAzY5n4L
c9iCLCNzpInV5Iy6IoBKkAZ+odQSPmho30s3HBTm+qRVrvEzn90wxanuQbV8rEKg
Y/Emtgj2Jb0ZTlLzNc4RFjOgWTD3Z1KObQfXvyKUeClOlSfc/eZD90vazQaCNjgt
2YFzg8XbHiSz9bzND0cl
=fIP2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.