Date: Thu, 14 Mar 2013 12:01:26 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Christey, Steven M." <coley@...re.org> Subject: Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer overflow triggered by device -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2013 11:36 AM, Christey, Steven M. wrote: > While perhaps a questionable action in many environments, attaching > a USB device is a common use case. The person attaching the device > has a reasonable expectation that code will NOT be executed, and > files will NOT be written outside the device, etc. without their > explicit permission or configuration. There is also a reasonable > expectation that the operation of the device will not perform > actions against the OS without implicit user permission. > > So, scenario 1 would clearly require a CVE. > > For other scenarios, it should be considered whether the > user/victim uses a "common" operation that is not obviously > dangerous. In scenario 3, clicking on a file in a USB device is a > common and reasonable operation, and unless that file is an > executable or otherwise automatically implies code execution, then > it is likely CVE-worthy if code execution, DoS, or some other > operation can be performed that is not within the intended > operation of the device. > > I'm not sure I understand scenario 2 well enough to give direct > advice, but even if the user installing the USB is targeted instead > of the kernel, then it may qualify for a CVE. > > - Steve > > >> -----Original Message----- From: Eugene Teo >> [mailto:eugeneteo@...nel.sg] Sent: Thursday, March 14, 2013 9:51 >> AM To: oss-security@...ts.openwall.com Subject: Re: >> [oss-security] CVE Request/Guidance: Linux kernel cdc-wdm buffer >> overflow triggered by device >> >> Hi Marcus, >> >> On Thursday, 14 March 2013, Marcus Meissner wrote: >> >>> Hi, >>> >>> I am wondering ... do we consider attacks with special attack >>> taylored USB devices as CVE worthy? >>> >>> There is only some precedence in the CVE DB, but not much. >>> >>> I stumbled over this fix from one of my colleagues where a >>> specifically made USB device reporting the "cdc-wdm" USB class >>> could cause a kernel heap overflow. >>> >>> "Malicious attached devices" might fall into several >>> categories: >>> >>> 1. Attaching the device causes the issue directly within the >>> kernel / autoloaded module, without user interaction. (here the >>> case) >>> >>> >>> 2. Attaching the device causes the issue when userspace, >>> dependend on e.g. desktop system, does initiate a seperate >>> action (like an automount and then exploitation of something) >>> (so not direct a kernel, but a kernel + GNOME/KDE >>> interaction). A contrived example: you plug in a (fake) evil GPS device which causes the system to go "oh a GPS device, I'll start up the GPS service, if said GPS service had a buffer overflow in handling the data sent by the evil (fake) GPS device could send data that causes code execution. I know this example (plug GPS device in, GPS service starts) works in Fedora by default for a few years now. I'm sure there are other exmaples too. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRQhB2AAoJEBYNRVNeJnmTAm0QAMxA5lF4uHGSMNVfsCoHUQAL GsqR+rCy+KCH5FLCLcISSj9x6YdBegVHNjohJ308Z3gtb546GUQNIobqZNW1MjuL ghk8+bPw8ZPQ2W22Fc6HrXGF1Aehy6minm2Icf/qADVf7NEz7A9TWWWu3FQmIL4k bZot3upy9wbJNhmeGjegb0EpFaJlhE4L8xQgb6CM6aImNTVaJsvSpvAMhpjf0DLp 5j4EA6i3QWBDHYHCtLcoLQCiADmXAZceaDqSX4cJQqIlqm+2WwOMFwozlBBb8ItP I4RtCepGVhxpI+G1s58uNj0J+GgMh6/UjmyxHvM2c16wYL6Dhb6FADGGpA5msY1W rmdmrFRGr86kqVBwB5i7VOKvX7ALeVNN5sCOkkaavzRZpsGRsz2yc3KFm0VdH+n7 TqJIo16ozzmzFGiH2M+pZpp9MdYxshmBhwwNWtOJJSiTfRVi2gSznk1OtKMWjB9c ocrRkaSbvjKrZ17yDs6Q7/BJC22SqevQhh9tKOw4ib5Pn48WxZEChHiYJAzY5n4L c9iCLCNzpInV5Iy6IoBKkAZ+odQSPmho30s3HBTm+qRVrvEzn90wxanuQbV8rEKg Y/Emtgj2Jb0ZTlLzNc4RFjOgWTD3Z1KObQfXvyKUeClOlSfc/eZD90vazQaCNjgt 2YFzg8XbHiSz9bzND0cl =fIP2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.