Linux USB driver security issue

USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users’ computers.

The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem.

“All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine,” Konovalov said.

Konovalov has found a total of 79 Linux USB-related bugs

The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched.

Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.

All bugs Konovalov discovered were found using syzkaller, a tool developed by Google that finds security bugs via a technique known as fuzzing.

POTUS project also found Linux USB driver flaws

Konovalov’s obsession with Linux kernel USB drivers is not an isolated case.

Earlier this year, security researchers from the University of London presented POTUS, a tool that finds vulnerabilities in Linux USB device drivers.

The tool finds bugs by setting up a virtual machine, a generic USB device, and by testing a USB driver using techniques such as fault injection, concurrency fuzzing, and symbolic execution.

Researchers found two Linux kernel flaws by testing USB drivers in POTUS. The first was CVE-2016-5400, a memory leak vulnerability in a USB device driver for communicating with an Airspy Software Defined Radio (SDR), while the second was a Use-After-Free vulnerability (no CVE identifier) that has existed in the Linux kernel’s Lego USB Tower driver since 2003.

The team’s work — a research paper titled “POTUS: Probing Off-The-Shelf USB Drivers with Symbolic Fault Injection” — won the Best Paper award at the USENIX WOOT 2017 security conference that took place over the summer.

Most Linux USB drivers not properly audited

The research paper highlighted that the widespread adoption of devices with USB interfaces has led to the Linux kernel having to support a wide range of drivers, most of which have not been thoroughly tested.

Past research [1, 2, 3, 4, 5] has tried to drawn attention to this widening security hole, but with little success.

Tools like POTUS and syzkaller have helped expose and get some of these flaws patched. Even Linux’s creator — Linus Torvalds — lauded recent fuzzing efforts that have uncovered various security issues.

As it stands right now, the Linux kernel USB subsystem needs more hardening against evil maid USB attacks. Even if some of these flaws require physical access, some of them will work even on low-privileged user accounts, so physical access is the only real requirement.

Flaws exploitable via USB are in high-demand, as they could be used to hack air-gapped systems, which are computers isolated from the public Internet or other internal networks. USBs are the only way data travels in and out of air-gapped systems. An attacker can plug in a USB thumb drive into a Linux air-gapped system, run exploit code, and steal data from such networks if some of the POTUS and Kovanolov bugs remained unpatched.

Source: Bleeping Computer