oss-sec mailing list archives
Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices
From: Greg KH <greg () kroah com>
Date: Mon, 22 Aug 2016 16:55:42 -0400
On Mon, Aug 22, 2016 at 02:37:17PM -0400, cve-assign () mitre org wrote:
There has been a related CVE for five years (CVE-2011-0640), although selecting udev as the responsible component was probably not the right approach, and maybe that CVE should be updated or rejected. We think the current understanding, very roughly, is:
Yes, udev isn't the correct place for it, but I really don't know what would be. What "tool" was assigned this CVE for other operating systems that do the same thing (all BSDs, OS-X, Windows, etc.)?
- the Linux kernel does not require a configuration in which a newly connected USB device is recognized in any way
I don't understand this statement, can you clarify? The Linux kernel has a configuration that does not allow any USB devices to work, unless explicitly granted permission to do so by a userspace tool. The device will be enumerated, but that is all, it is up to userspace to then tell the kernel to actually "use" the device. This feature has been present at the USB "device" level for quite some time, and at the USB "interface" level now for I think over a year (can dig it out if people really care, the work was done by someone from SuSE.) Also, all Wireless USB devices operate in this manner "by default" for as long as Linux has supported Wireless USB devices (thankfully these devices are really rare.)
- a Linux distribution may ship with a default configuration in which a newly connected USB device can operate as a keyboard and inject text into an application
Yes, but I don't understand, perhaps what you really mean to say is: A Linux distribution may ship with a default configuration of trusting all new devices that are plugged in without any form of userspace authentication before they begin to operate.
- some Linux distributions want to have this behavior, and their maintainers have concluded that there is no comprehensive method for "asking a user" about a new USB device in a way that is compatible with all use cases
Huh? There is such a method, Linux has supported this for a very long time (see above.) It's up to the distro to decide to use it or not, that's their choice (hint, I don't blame them for making this choice, it's what almost all users expect and want as well...)
- if anyone (whether a Linux distribution or other type of product) is announcing a required security update, in which software or configuration is being changed to address malicious keyboard attacks, then we can assign a CVE ID to associate with the update announcement
Why would a CVE be needed for a "my distro decides to not trust USB devices as much as your distro does" type decision? This is just a matter of how a distribution configures their kernel, combined with their decision of how to deal with new USB devices. Perhaps you could argue that some of those decisions might be "more secure" than others, but I don't see a "bug" that is resolved by deciding about this one way or the other, do you? thanks, greg k-h
Current thread:
- CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Ben Hutchings (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Adam Maris (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Willy Tarreau (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 22)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices cve-assign (Aug 22)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 22)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices cve-assign (Aug 22)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 23)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices cve-assign (Aug 23)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Marcus Meissner (Aug 18)
- Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Greg KH (Aug 18)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Willy Tarreau (Aug 22)
- Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Kurt Seifried (Aug 23)
- RE: [security-vendor] Re: [oss-security] Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices Radzykewycz, T (Radzy) (Aug 23)