Google researcher finds 79 Linux USB vulnerabilities


The Linux world learned last week that there is something surprisingly large and flaky at the heart of the platform’s kernel USB drivers.

It turns out they’re choc full of security vulnerabilities. USB drivers might not the first place in Linux that most people would think to look for vulnerabilities (or the coolest), but they turned out to be a rich hunting ground for Google researcher Andrey Konovalov all the same.

How big is the problem? It depends which subset of flaws you start with.

The headline list comprises 14 new flaws Konovalov found using a kernel fuzzing tool called syzkaller created by fellow Google researcher, Dmitry Vyukov.

These 14 flaws have been assigned their own CVE numbers.

Then there are an additional 65 vulnerabilities previously found in the same subsystem (eight of which have been assigned their own CVEs), to make a grand total of 79 reported by the Google man since last December.

As to the harm they could do if exploited in differet versions of the kernel before v4.13.8 (which appeared in mid-October), he said something important of the original 14 that probably applies across the board:

All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

This sounds reassuring because an attacker would have to be sitting in front of a vulnerable Linux computer, able to plug a USB device into it, with the effect of an exploit being to cause a crash or a denial of service in most cases.

Except an attacker wouldn’t necessarily have to gain access to a target machine themselves, they only need to find a way to fool somebody else into doing it for them. Something that studies suggest users will do voluntarily if an attacker just leaves enough USB sticks lying around.

These flaws aren’t going to bring the Internet to a standstill any time soon (and many were patched some weeks ago), but they’re still a tempting target for a specialist attacker to use as a stepping stone for something more serious, such as attacks on air-gapped systems.

The usual advice to stay on top of your updates applies.

Being the Linux kernel, these flaws affect a lot of devices although how many is difficult to say. There are a profusion of Linux distributions, Google’s Chrome OS, the welter of devices built on Linux that have a USB port, and of course Android (some Android smartphones and tablets use the USB subsystem to enable the ageing USB OTG interface, some don’t).

Seventy-nine vulnerabilities is a lot to find in only one part of the Linux kernel in a year but perhaps we shouldn’t be too hard on Linux itself. Finding bugs is better than not finding them, after all, and when USB support was added in 1999 it supported just two types of device: mice and keyboards. The number has expanded considerably since then.

That’s a lot of software for developers to keep up with. Konovalov’s dogged research into this area suggests they haven’t been.