Google researcher finds 14 Linux USB subsystem security vulnerabilities
Google researcher Andrey Konovalov recently discovered 14 Linux USB subsystem security vulnerabilities, all of which can be triggered by a “crafted malicious USB device in case an attacker has physical access to the machine.”
Konovalov found the glitches using a coverage-guided kernel fuzzer Syzkaller, discovering an 11 year old flaw in the Linux kernel with the same tool earlier this year. The process involves throwing large amounts of code at a specific type of software in order to trigger crashes.
The 14 security flaws impact the Linux kernel prior to version 4.13.8. Although the vulnerabilities discovered can be fixed, they are part of a larger group of 79 security flaws impacting the Linux kernel’s USB drivers. Within this group, 22 glitches have been issued a Common Vulnerabilities and Exposures (CEU) number. While many of these vulnerabilities have fixes available, several have been unreported and unpatched.
Konovalov originally reported the 79 vulnerabilities in December 2016 through a Google Groups mailing list. Some of the companies to make the mailing list included Google, Intel and The Linux Foundation. Konovalov continued to notify the mailing list as new results came in throughout the year.
Several of the glitches Konovalov noted in the mailing list were reported last September and October. Some of these glitches were found in release candidates of kernel version 4.14. Linux kernel developers were able to catch the glitches during the development process. Among the most recent glitches that Konovalov reported included 4.14 release candidate (RC) 8.
“Those 14 bugs that I found are triggerable externally by connecting malicious USB devices,” Konovalov told the Register, “so in this case we attack the kernel kind of ‘from the other side.’ In theory it might be possible to exploit a vulnerability in a USB device itself, and then use the compromised device to externally trigger a kernel bug.”
As previously noted, cybercriminals must have physical access to a machine to implement an attack. However, this shouldn’t undermine the extent to which hackers may go to breach a network. Some cybercriminals have attempted to infiltrate businesses by ‘losing’ malware-infected USB sticks in company parking lots. In addition, these types of glitches can be leveraged to infiltrate air-gapped systems that are not connected to the web. In these situations, USBs can be used to infect a device with an exploit code.