Date: Tue, 22 Sep 2015 17:49:53 -0700 From: Moein Ghasemzadeh <moein@...uary.com> To: <oss-security@...ts.openwall.com> Subject: Vulnerability in WhiteHEAT Linux Driver-CVE-2015-5257 Hello, We have discovered a vulnerability in a linux kernel module and would like to inform you so that required actions could be taken. Assigned CVE ID : CVE-2015-5257. Below is the description of the vulnerability. 1. Software name and vendor name: USB WhiteHEAT serial driver by ConnecTech in the Linux kernel v3.19.0-28, but likely to exist in all kernel versions. 2. Type of vulnerability or attack outcome: The vulnerability triggers a kernel NULL pointer dereference. It causes the OS to freeze on many machines and requires a cold reboot, causing denial of service. 3. A description of the affected code (e.g. the function name, the vulnerable web page, link to the affected code, a bug entry, etc.): The flaw exists in the "whiteheat_attach" function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel. (http://lxr.free-electrons.com/source/drivers/usb/serial/whiteheat.c?v=3.19) In the driver, the “COMMAND_PORT” variable is hard coded and is set to “4” (5th element). So, the driver assumes that the number of ports always will be 5 and takes the port number 5 as the command port. But, using a specially made USB device in which the number of ports was set to a number less than 5 (e.g. 3) we were able to perform Denial of Service on the system due to a kernel NULL pointer dereference. The system froze and requires a reboot. You may find more information regarding the bug from the logs attached to this email. Please let us know if you have any questions or concerns. Thanks, -- * Moein Ghasemzadeh *| Security Researcher Istuary Innovation Labs Inc. 800, 1125 Howe St., Vancouver V6Z 2K8, BC, Canada Tel: 604.299.0388 ext 812 | Fax: 604.299.8003 www.istuary.com <http://www.istuary.com/> View attachment "dmesg.txt" of type "text/plain" (65714 bytes) View attachment "lspci.txt" of type "text/plain" (1895 bytes) View attachment "lshw.txt" of type "text/plain" (16111 bytes) View attachment "lscpu.txt" of type "text/plain" (725 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.