Date: Mon, 22 Aug 2016 14:37:17 -0400 (EDT) From: cve-assign@...re.org To: meissner@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Perhaps we need to add more criteria to select CVE assignment. Because we're not in a position to have a CVE ID for every bug that is possibly of security relevance to anyone, one question is whether the cost of having an ID is too high given the benefit of the ID to risk management. Our understanding of the prevailing response theme is that system administrators typically shouldn't have an expectation that the OS (or the hardware) can continue running if an attacker can connect an object of their choice to a USB port. This seems consistent with the criteria that you listed. If there are, for example, Linux distribution vendors that plan to engage their full vulnerability-management process to produce and announce an end-user-consumable kernel update that resolves only a single simple DoS issue (requiring physical access to a USB port), then we may need to reconsider. Costs to maintaining a large number of Linux kernel CVEs for this specific type of simple DoS include: - there is a potentially misleading message that it is "common" to track this type of bug as a vulnerability - there is a potentially misleading message that USB in the Linux kernel has many vulnerabilities, whereas USB in another product (such as a closed-source OS) does not > That said, this leaves malicious USB devices posing as regular keyboards > for text injection unclassified ... There has been a related CVE for five years (CVE-2011-0640), although selecting udev as the responsible component was probably not the right approach, and maybe that CVE should be updated or rejected. We think the current understanding, very roughly, is: - the Linux kernel does not require a configuration in which a newly connected USB device is recognized in any way - a Linux distribution may ship with a default configuration in which a newly connected USB device can operate as a keyboard and inject text into an application - some Linux distributions want to have this behavior, and their maintainers have concluded that there is no comprehensive method for "asking a user" about a new USB device in a way that is compatible with all use cases - if anyone (whether a Linux distribution or other type of product) is announcing a required security update, in which software or configuration is being changed to address malicious keyboard attacks, then we can assign a CVE ID to associate with the update announcement - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXu0WUAAoJEHb/MwWLVhi2SA8P/A/bNt12snkfgrrXfULX1RgT 9Llg1hfUuk1EykVkV0iePtitcudpMeIDdoM//fodR8BvsHdBhvyx2Jv4cHlolxrL R4I5HjecgFVLBFRIE9Ze2Cw85xM0N/CEmxeKnJ6neUxmNFTA1ciK5SguJZINn4vv YAzq4385oFJ8DYpB7KZ/WgUhYV+woNsiFqjm3PmbfDYpFp1Qg5w72HAunCTam4IT j/SHTYq/Ntr6aezzs65uinzP4yh2hS6SuAui81z+Sjhc6FzBndizK2h4GTzerG3s X2tUG+ogzSREro+jiVQh6EORYhMGnQfUv0zvYd3Y3I0VVkpvUXOcHBgNGIsSC0B4 SZSvF8zQ9zqJqzvI7vwQs5ODfdwivS99nFjeNND0dNSKscSXPCjZ/Xtl61xu2k2y zjq9V3BN1UAk9kgIBgsV2tTEdwUL2bqgC7u+dNVMqzw/ms62cZQzKdvCFdIBCUt8 SO4BXad5KoOA22FgpleG1LTcsZEFPxlvbJ845Vab3lpyFJnnXofuxi31EcJsDLWI 23OmxgoYUPp2p7g0RjYi5k3oqNO84nOZKG8RUJl9r6xTZh41ftS7fUHpQsnc8hiw vIvVOxgr6yrhp+JusTuas6doQhr4Mev8Cz1b460Fb6R14TE2G2r0/ooR3OtgkGAE p7l0Yj54nVW00GrVSwWd =XrOI -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.