Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160822205542.GB12931@kroah.com>
Date: Mon, 22 Aug 2016 16:55:42 -0400
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: meissner@...e.de, cve-assign@...re.org
Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when
 plugging in malicious USB devices

On Mon, Aug 22, 2016 at 02:37:17PM -0400, cve-assign@...re.org wrote:
> There has been a related CVE for five years (CVE-2011-0640), although
> selecting udev as the responsible component was probably not the right
> approach, and maybe that CVE should be updated or rejected. We think
> the current understanding, very roughly, is:

Yes, udev isn't the correct place for it, but I really don't know what
would be.  What "tool" was assigned this CVE for other operating systems
that do the same thing (all BSDs, OS-X, Windows, etc.)?

> 
>   - the Linux kernel does not require a configuration in which a newly
>     connected USB device is recognized in any way

I don't understand this statement, can you clarify?

The Linux kernel has a configuration that does not allow any USB devices
to work, unless explicitly granted permission to do so by a userspace
tool.  The device will be enumerated, but that is all, it is up to
userspace to then tell the kernel to actually "use" the device.
This feature has been present at the USB "device" level for quite some
time, and at the USB "interface" level now for I think over a year (can
dig it out if people really care, the work was done by someone from
SuSE.)

Also, all Wireless USB devices operate in this manner "by default" for
as long as Linux has supported Wireless USB devices (thankfully these
devices are really rare.)

>   - a Linux distribution may ship with a default configuration in
>     which a newly connected USB device can operate as a keyboard and
>     inject text into an application

Yes, but I don't understand, perhaps what you really mean to say is:
	A Linux distribution may ship with a default configuration of
	trusting all new devices that are plugged in without any form of
	userspace authentication before they begin to operate.

>   - some Linux distributions want to have this behavior, and their
>     maintainers have concluded that there is no comprehensive method
>     for "asking a user" about a new USB device in a way that is
>     compatible with all use cases

Huh?  There is such a method, Linux has supported this for a very long
time (see above.)   It's up to the distro to decide to use it or not,
that's their choice (hint, I don't blame them for making this choice,
it's what almost all users expect and want as well...)

>   - if anyone (whether a Linux distribution or other type of product)
>     is announcing a required security update, in which software or
>     configuration is being changed to address malicious keyboard
>     attacks, then we can assign a CVE ID to associate with the update
>     announcement

Why would a CVE be needed for a "my distro decides to not trust USB
devices as much as your distro does" type decision?  This is just a
matter of how a distribution configures their kernel, combined with
their decision of how to deal with new USB devices.  Perhaps you could
argue that some of those decisions might be "more secure" than others,
but I don't see a "bug" that is resolved by deciding about this one way
or the other, do you?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.