Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2

[Marcus Meissner <meissner () suse de>]

On Thu, Aug 22, 2019 at 10:04:42AM +0100, John Haxby wrote:
> > On 20 Aug 2019, at 19:20, Andrey Konovalov <andreyknvl () gmail com> wrote:
> >
> > * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15216
> >
> > An issue was discovered in the Linux kernel before 5.0.14. There is a
> > NULL pointer dereference caused by a malicious USB device in the
> > drivers/usb/misc/yurex.c driver.
> >
> > * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217
> >
> > An issue was discovered in the Linux kernel before 5.2.3. There is a
> > NULL pointer dereference caused by a malicious USB device in the
> > drivers/media/usb/zr364xx/zr364xx.c driver.
> >
> > * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15218
> >
> > An issue was discovered in the Linux kernel before 5.1.8. There is a
> > NULL pointer dereference caused by a malicious USB device in the
> > drivers/media/usb/siano/smsusb.c driver.
> >
> > * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15219
> >
> > An issue was discovered in the Linux kernel before 5.1.8. There is a
> > NULL pointer dereference caused by a malicious USB device in the
> > drivers/usb/misc/sisusbvga/sisusb.c driver.
>
>
> Are these even realistic?   If I'm going to leave malicious USB devices in the parking lot for mischief am I going to 
> rely on the unknown victim running a Linux distro with the requisite kernel modules or am I going to just drop a 
> cheap and near-universal USB killer?
>
> If I'm going to be connecting the USB device to unguarded laptops myself to crash them, as opposed to destroy them, 
> why not just casually lean on the power button for a few seconds?[1]
>
> Actually, this is the CVSS3 score for a laptop's power button: 4.6 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
> (Medium).   There isn't a vector for a USB killer because there's no "A:P" (permanent loss).
>
> I'm not saying that these aren't bugs that should be fixed, far from it.  That's not the issue.  The issue is that, 
> for example, PCI DSS requires fixes for anything with a score >= 4.0 so we have endless end-users demanding fixes for 
> their servers which don't have even physical access or, indeed, physical presence.  It's not even demanding the fixes 
> as they may already be fixed or simply not applicable because the affected driver isn't present; it's the hours or 
> days wasted verifying that the fix available or not present.[2]
>
>
>
> Frustrated of Lancashire, jch
>
>
> [1] Some may remember the VAX 11/750 reset button.  In order to be able to use the serial console (usually a 
> DECwriter) you had to have the key in which also enabled the reset button.   Before I put the VAX "Do Not Copy this 
> Key" key (yes, it fits all 750s) I pressed accidentally pressed the reset button a couple of times just by propping 
> myself up on the machine.  Spectacularly bad design by today's standards.
>
>
> [2] Full disclosure.  It's ultimately about me because it's me that eventually gets the "customer requires fix for 
> CVE-2019-15216" :)

In the past we have considered Denial Of Service only USB vulnerabilites as non-issues, as physical access
can cause the same.

USB Vulnerabilities where you can achieve code execution by a malicious USB device are something else though and in my 
opinion warrant a CVE.

Ciao, Marcus