Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices

[Kurt Seifried <kseifried () redhat com>]

On Mon, Aug 22, 2016 at 11:38 PM, Willy Tarreau <w () 1wt eu> wrote:
> I'd classify it differently : something where a bug allows someone
> unauthorized to do something he couldn't do differently needs a CVE.
> That includes memory corruption, code execution, privilege increases,
> local DoS/panic/oops by just executing an exploit, etc. Here we're
> speaking about someone plugging some hardware into an open port which
> immediately takes the whole system down. Sure, the faulty code makes
> this possible. But the hardware is purposely designed for this. I can
> also design some hardware which takes the system down and possibly even
> fries it without involving the code at all. So once this device is
> built, if we assign a CVE, nobody will fix it and it will not even
> apply to any specific OS. Oh, after just one Google request I found
> that I was not the first one to think about it, it already exists :
>
>    http://arstechnica.com/security/2015/10/usb-killer-
> flash-drive-can-fry-your-computers-innards-in-seconds/

Ah but defending against this sort of physical attack is actually quite
easy, use a USB hub, or for higher assurance use a wireless USB hub. TBH
I'm not sure what the difference is between say the above USB killer and a
small taser or a small squirt bottle of saline solution.

In general I should be able to plug USB devices into a computer without the
computer succumbing to software based attacks (stuxnet anyone?).

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com