14 Flaws Found in Linux Kernel USB Subsystem (CVE-2017-16525)
NEWS

14 Flaws Found in Linux Kernel USB Subsystem (CVE-2017-16525)

14 flaws in Linux kernel USB drivers were just disclosed by Google researcher Andrey Konovalov. The researcher found the vulnerabilities by deploying a kernel fuzzler known as syzkaller.

The “14 vulnerabilities found with syzkaller in the Linux kernel USB subsystem… can be triggered with a
crafted malicious USB device in case an attacker has physical access to the machine,” the researcher wrote. Fortunately, all the issues have already been addressed and fixed.

Related Story: Top 15 Linux Security Questions You Didn’t Know You Had

A Total of 79 Flaws Affect Linux Kernel USB Drivers

However, it turns out that they are part of a group of 79 other flaws that affect Linux kernel’s USB drivers. Out of these 79 vulnerabilities, 22 have been given CVE identifiers and have available fixes, but not all of them have been fixed.

One of the flaws disclosed by Konovalov is CVE-2017-16525, where:

The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.

The initially mentioned 14 flaws affect Linux kernel before version 4.13.8. Researchers say that they can be leveraged in denial of service attacks. However, a specially crafted USB device may also be used to affect a system to crash and suffer unspecified problems.

Related Story: CVE-2017-7533 – Severe Linux Kernel Vulnerability

Even though physical access is required for these attacks to take place, Stuxnet shouldn’t be forgotten as it was triggered exactly in a similar manner – through infection USB drives previously plugged into a compromised computer. There have been other cases of attackers dropping infected USB device in company parking lots waiting for employees to pick them up and insert them on their computers.

The researcher’s syzkaller reports are definitely keeping kernel developers occupied. In the meantime, Linus Torvalds announced the 4.14 RS 8 release on Sunday. On the next day, however, Konovalov had already come across several other USB bugs. Some of them have been addressed but others haven’t.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...