Don't worry about those 40 Linux USB security holes. That's not a typo

Move along. Nothing to see here. By the way, try this flash drive in your laptop, ta

Linux penguin canape... snacks. Photo by SHutterstock

The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.

That's just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.

Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.

Still, there are plenty of these ports around – like on your Linux-powered in-flight entertainment unit on an airplane, and on your Linux-powered Android handheld and ChromeOS laptop.

"The impact is quite limited, all the bugs require physical access to trigger," said Konovalov. "Most of them are denial-of-service, except for a few that might be potentially exploitable to execute code in the kernel."

In an online discussion of the flaws, it was suggested that the WebUSB API might provide a way to take advantage of the bugs remotely, but Konovalov expressed skepticism.

"I might be wrong here, but as far as I understand, WebUSB API can be used by a web page to interact with a USB device (or USB device driver) from user space (which can potentially be used to exploit bugs in the kernel)," he said. "Those 14 bugs that I found are triggerable externally by connecting malicious USB devices, so in this case we attack the kernel kind of 'from the other side.' In theory it might be possible to exploit a vulnerability in a USB device itself, and then use the compromised device to externally trigger a kernel bug."

Nonetheless, such flaws are just the sort of thing hackers and other miscreants may appreciate were they looking to conduct dropped-drive attacks – leaving a booby-trapped gizmos in a parking lot, say – which happen to be rather more effective than they should be. ®

The CVEs so far...

Biting the hand that feeds IT © 1998–2018