The Linux world learned last week that there is something surprisingly large and flaky at the heart of the platform’s kernel USB drivers.
It turns out they’re choc full of security vulnerabilities. USB drivers might not the first place in Linux that most people would think to look for vulnerabilities (or the coolest), but they turned out to be a rich hunting ground for Google researcher Andrey Konovalov all the same.
How big is the problem? It depends which subset of flaws you start with.
The headline list comprises 14 new flaws Konovalov found using a kernel fuzzing tool called syzkaller created by fellow Google researcher, Dmitry Vyukov.
These 14 flaws have been assigned their own CVE numbers.
Then there are an additional 65 vulnerabilities previously found in the same subsystem (eight of which have been assigned their own CVEs), to make a grand total of 79 reported by the Google man since last December.
As to the harm they could do if exploited in differet versions of the kernel before v4.13.8 (which appeared in mid-October), he said something important of the original 14 that probably applies across the board:
All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.
This sounds reassuring because an attacker would have to be sitting in front of a vulnerable Linux computer, able to plug a USB device into it, with the effect of an exploit being to cause a crash or a denial of service in most cases.
Except an attacker wouldn’t necessarily have to gain access to a target machine themselves, they only need to find a way to fool somebody else into doing it for them. Something that studies suggest users will do voluntarily if an attacker just leaves enough USB sticks lying around.
These flaws aren’t going to bring the Internet to a standstill any time soon (and many were patched some weeks ago), but they’re still a tempting target for a specialist attacker to use as a stepping stone for something more serious, such as attacks on air-gapped systems.
The usual advice to stay on top of your updates applies.
Being the Linux kernel, these flaws affect a lot of devices although how many is difficult to say. There are a profusion of Linux distributions, Google’s Chrome OS, the welter of devices built on Linux that have a USB port, and of course Android (some Android smartphones and tablets use the USB subsystem to enable the ageing USB OTG interface, some don’t).
Seventy-nine vulnerabilities is a lot to find in only one part of the Linux kernel in a year but perhaps we shouldn’t be too hard on Linux itself. Finding bugs is better than not finding them, after all, and when USB support was added in 1999 it supported just two types of device: mice and keyboards. The number has expanded considerably since then.
That’s a lot of software for developers to keep up with. Konovalov’s dogged research into this area suggests they haven’t been.
David M
So, cause a crash or DNS – and that’s it? So a reboot, and your back and running with no issues?
Though not fully clear from the article, does that mean there is NO threat of:
1) changing data in a locked Linux computer (no user logged in)
2) copying data from a locked system
3) deleting data from a locked computer
Paul Ducklin
It does look as though this is a laundry list of DoSes (denial of service vulnerabilities), so it doesn’t sound like a TEOTWAWKI [*] situation.
I wouldn’t rule out more serious exploits being possible, given that some of them can cause system crashes, and as the bloke reporting the bugs says, this could “possibly have unspecified other impact”. That’s a bit nebulous, but there’s always a chance that reliably provokable crashes could be provoked in a way that gets you more than jut a crash.
So I would treat these as somewhere above a Douglas Adamsian “mostly harmless”, and patch ASAP anyway. Just in case.
[*] The End Of The World As We Know It.
Anonymous
“Unspecified impact” is the security researcher’s way of saying “we managed to get this bug to crash the system and it it may be exploitable but we don’t have time or motivation to find out how far we can take it”. Very many vulnerabilities with “unspecified impact” are exploitable.
Laurence Marks
Ok, if I were to find a USB stick, I might turn auto-run off and scan it before doing anything with it. May I assume that Sophos AV protects against known USB vulnerabilities?
Paul Ducklin
We protect against USB-triggered threats if we can. As always, however, the answer, as often, is, “It depends.” (TBH, I haven’t looked through all these 79 vulns to see what’s what.)
When you get vulnerabilities inside the kernel drivers (on almost any operating system, not ust Linux) that actually support pluggable device type X, then it’s possible that the driver could go haywire *even before device X is mounted as a usable device*, at which point…
…there isn’t a device to scan yet :-(
David M
Though I’m sure they are quite rare, don’t forget about the “Killer USB sticks” that give the computer a high voltage hit from power stored in a capacitor in the stick itself.
It would seem like a good idea to never put a found USB stick in any computer you are not willing to see destroyed.
Just go to Youtube and put “Killer USB stick” into the search if you have not heard of this.
Paul Ducklin
Or just read this one:
https://nakedsecurity.sophos.com/2017/03/22/usb-pen-testing-stick-what-happens-if-it-falls-into-malicious-hands/