Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Has a USB Driver Security Problem (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.

19 of 156 comments (clear)

  1. an attacker has physical access to the machine by Anonymous Coward · · Score: 4, Informative

    you're already pwned

    1. Re:an attacker has physical access to the machine by Calydor · · Score: 4, Insightful

      If all it takes is access to plug in a USB dongle, that's a different kind of access than being able to open up the machine and tinker with it. Secretary turns her back for a moment? Plug it in while you can.

      Hell, with the tendency for people to plug in USB keys found on the street still to this day, that's all that would be required to exploit these flaws in an otherwise impenetrable building.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:an attacker has physical access to the machine by squiggleslash · · Score: 5, Funny

      Secretary turns her back for a moment? Plug it in while you can.

      Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:an attacker has physical access to the machine by Anonymous Coward · · Score: 3, Funny

      UNREALISTIC. Windows does not have these same vulns. Secretary is safe.

    4. Re:an attacker has physical access to the machine by Jeremi · · Score: 5, Insightful

      Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!

      If it turns out that the secretaries of the world have been running Linux all these years, I will be rather surprised :)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    5. Re:an attacker has physical access to the machine by cstacy · · Score: 4, Funny

      Secretary turns her back for a moment? Plug it in while you can.

      Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!

      No, they haven't been portraying it accurately for years. But in the last few weeks we have seen actresses and secretaries in Hollywood coming forward with the story of what happens when they turn their backs and executive producers try to "plug it in while they can".

    6. Re:an attacker has physical access to the machine by tlhIngan · · Score: 4, Interesting

      Of course, all it takes is a few plug-in attempts to create kernel panics...or is that moral panics?

      I've had it happen to me while I was developing a USB device. Plugged it into a Linux machine and it kernel panics immeidately. No, plug it into Windows and nothing happens.

      It turned out I screwed up the USB descriptors I was returning - Linux didn't like that I set the descriptor type wrong.

      Granted, this is something I did many many many years ago (around the time of the great east cost blackout) so I expect that it would be somewhat more robust now.

      It's also interesting to see how different OSes reacted - the USB descriptor is a fixed size, but some OSes (Windows, notably) only do a partial request - I think it was 5 bytes - in order to get the USB descriptor type and length bytes, then it re-ran the request with the proper size. Linux at the time simply did a proper sized request - the descriptor size is fixed and unchanging so what Windows did was completely unnecessary unless it was to ensure that devices responded properly.

    7. Re:an attacker has physical access to the machine by blindseer · · Score: 2

      Please tell me more. I recall a rather problematic security issue with early FireWire implementations that allowed direct access to a computer system's memory. Wasn't this used to break some DVD encryption keys? ThunderBolt might have similar problems but I have not looked into it thoroughly, this is likely much harder to fix since ThunderBolt is an extension of the PCI bus. ThunderBolt 3 uses USB-C for it's standard connection port, is this what you mean by a physical hardware vulnerability? This kind of vulnerability does not apply to USB as it's not a direct memory access device like FireWire and ThunderBolt.

      Standard practice by many operating systems is to treat a USB device with more trust than I believe it should. For example, if someone plugs in a USB network device the OS will often install a driver, enable DHCP, request an IP address, and start talking to it. Auto-run has long been a problem for storage devices, but that's not unique to USB and it's not a hardware problem. These are problems that can be solved in software.

      What USB hardware vulnerabilities do you know about? I'm honestly curious since I've heard nothing of these things, and I like to think I follow computer security pretty closely.

      --
      I am armed because I am free. I am free because I am armed.
    8. Re:an attacker has physical access to the machine by AC-x · · Score: 2

      Embedded USB developer boards already exist and are just as cheap/easy to use as Arduinos.

    9. Re:an attacker has physical access to the machine by AC-x · · Score: 2

      What USB hardware vulnerabilities do you know about?

      One exploit I remember from a few years back is a custom USB device emulating a keyboard and mouse can issue commands via keyboard shortcuts and mouse clicks.

      Another one is emulating a network adapter to intercept and alter network traffic.

    10. Re:an attacker has physical access to the machine by AC-x · · Score: 2

      I think you're falling in to the same trap as some other posters with "physical access = already pwned".

      USB is somewhat more dangerous because they are also ubiquitous inconspicuous storage devices and computers often have multiple easy to access USB ports.

      PS/2 ports are used exclusively for keyboard and mice and the ports are generally at the back of the computer, so you're not going to be able to trick someone into inserting a device like you could with something that looks like a USB stick and to do it yourself requires you to access the back of the computer rather than just quickly sticking something in the front. Also PS/2 ports are single function while a USB stick can emulate a keyboard and mouse at the same time which allows for certain attacks that aren't possible with keyboard alone (see the OSX example previously).

      With networking again you've got to get to the back of the computer, unplug the existing network connection, put a bridging device between them, plug it back in. All much more conspicuous than just slipping a USB-stick looking device into the machine somewhere. Plus I couldn't find any instructions for disabling USB networking on Windows or OSX, and even with Linux I'm not sure how you do it without disabling all USB devices.

  2. Linux kernel USB drivers by Archangel+Michael · · Score: 2, Interesting

    I think i found the problem. Kernel Space drivers are always prone to these kinds of problems. This is not new.

    The depth of the problem is newish, but only because someone peeked in and saw flaws.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  3. The fact is USB is inherently vulnerable by Anonymous Coward · · Score: 2, Interesting

    Linux drivers can mitigate that but they will never stop the problems in the USB spec.

  4. Re:Physical access by phantomfive · · Score: 2, Informative

    USB has a problem. Even if the kernel is 100% secure, you can use the USB standard to hack devices. This is why secure environments put glue in their USB ports.

    --
    "First they came for the slanderers and i said nothing."
  5. Seems like a good thing! by DarkOx · · Score: 3, Informative

    Severs in locked data centers - safe
    PCs in locked offices / homes - safe
    Laptops - safe if you shut it down and have bios password to enable boot, probably safe with encrypted root fs, provided machine is shutdown to begin with.
    Laptop in yours own hands - safe

    Now all those consumer devices that the manufacture won't let you have access to, ROOTED!

    This is a win.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  6. Re:Physical access by coolsnowmen · · Score: 2

    secure environments do all that and more: 1) reduce physical access 2) in software blacklist the entire usb chain with the exception of keyboard/mouse. This means no driver will even be loaded no matter what you put in...

  7. Sandbox by goombah99 · · Score: 2

    I'm assuming these things happen because the USB device drivers load microcode from the USB device? If so why can't these things be sandboxed-- no reason to give them file access or network access or even much memory. If it's a matter of top line speed then let the user decide-- sandbox by default and let the user have a switched labeled "open your mouth and close your eyes-- give me a tiny bit more speede in return for butt neckid security."

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. Android by atisss · · Score: 2

    So, i guess it affects android too..

    Oh, i see your phone is low on battery, here - have a charger

  9. Can we have PS/2 ports back now? by blindseer · · Score: 3, Interesting

    I've worked in secure environments and as someone that has obtained security certifications I see all kinds of problems with USB beyond improperly coded drivers. One common practice not that long ago was to disable any USB ports to stop people from plugging in things they weren't supposed to. This was only possible while PS/2 ports for keyboards and mice were still commonplace. (There was also that short period where some Apple computers had both ADB and USB ports.)

    I like USB-C. It's quite the improvement over what we've had before. I am a bit concerned on how this affects the security of our devices in the future. Controlling things like someone offering a "charger" for a laptop or cell phone to try to sneak into a device can be managed in many ways. Dedicated ports for video, keyboard, mouse, and even Ethernet had inherent security in that they did only so much which prevented certain security issues. Will all these ports go away and be replaced with USB-C?

    Again, I really like USB-C as it adds convenience and capability that nothing else offered before. It also adds security issues that a simple list of "dos and don'ts" cannot cover for many less technically knowledgeable people to follow. Securing computers from many kinds of attacks is going to be an increasingly difficult problem unless we get off this mentality of one port to rule them all.

    Maybe we'll see some means to better secure USB. Maybe we'll see computer systems that will allow one to disable anything that is not a HID or power device from being recognized on USB in the firmware. Maybe OS developers will provide better granularity on what USB ports are allowed to do.

    Maybe we'll get PS/2 ports back again. Probably not. I do think something has to give. If we can't have the inherent security of feature limited ports then we will need some security through better management of the ports that replace them.

    --
    I am armed because I am free. I am free because I am armed.