Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 14:37:17 -0400 (EDT)
Subject: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices

Hash: SHA256

> Perhaps we need to add more criteria to select CVE assignment.

Because we're not in a position to have a CVE ID for every bug that is
possibly of security relevance to anyone, one question is whether the
cost of having an ID is too high given the benefit of the ID to risk
management. Our understanding of the prevailing response theme is that
system administrators typically shouldn't have an expectation that the
OS (or the hardware) can continue running if an attacker can connect
an object of their choice to a USB port. This seems consistent with
the criteria that you listed. If there are, for example, Linux
distribution vendors that plan to engage their full
vulnerability-management process to produce and announce an
end-user-consumable kernel update that resolves only a single simple
DoS issue (requiring physical access to a USB port), then we may need
to reconsider. Costs to maintaining a large number of Linux kernel
CVEs for this specific type of simple DoS include:

  - there is a potentially misleading message that it is "common" to
    track this type of bug as a vulnerability

  - there is a potentially misleading message that USB in the Linux
    kernel has many vulnerabilities, whereas USB in another product
    (such as a closed-source OS) does not

> That said, this leaves malicious USB devices posing as regular keyboards
> for text injection unclassified ...

There has been a related CVE for five years (CVE-2011-0640), although
selecting udev as the responsible component was probably not the right
approach, and maybe that CVE should be updated or rejected. We think
the current understanding, very roughly, is:

  - the Linux kernel does not require a configuration in which a newly
    connected USB device is recognized in any way

  - a Linux distribution may ship with a default configuration in
    which a newly connected USB device can operate as a keyboard and
    inject text into an application

  - some Linux distributions want to have this behavior, and their
    maintainers have concluded that there is no comprehensive method
    for "asking a user" about a new USB device in a way that is
    compatible with all use cases

  - if anyone (whether a Linux distribution or other type of product)
    is announcing a required security update, in which software or
    configuration is being changed to address malicious keyboard
    attacks, then we can assign a CVE ID to associate with the update

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.