Andrey Konovalov a Google security researcher recently published a report on the identification of 15 vulnerabilities (CVE-2019-19523 - CVE-2019-19537) on the USB drivers provided in the Linux kernel. This it is the third part of the problems found during the fuzzing tests of the USB stack in the syzkaller package that previously, this researcher had already reported 29 vulnerabilities and of which we have already commented here on the blog.
The previously disclosed issues are described by the security researcher that these errors can potentially be exploited when specially prepared USB devices are plugged into a computer.
An attack is possible if there is physical access to the computer and it can lead to at least one kernel crash, but other manifestations are not excluded (for example, for a similar vulnerability identified in 2016, the USB driver snd-usbmidi managed to prepare an exploit to execute code at the kernel level).
In this new report by Andrey Konovalov, the list includes only vulnerabilities caused by accessing already freed memory areas (use-after-free) or leading to the kernel memory data leak.
Issues that can be used for denial of service they are not included in the report. The vulnerabilities could potentially be exploited when specially prepared USB devices are connected to a computer. The fixes for all the problems mentioned in the report are already included in the kernel, but some bugs that are not included in the report are not fixed yet.
More bugs in Linux kernel USB drivers that can be triggered by a malicious external USB device were found with syzkaller… All of these bugs have been fixed upstream (but many other syzbot USB bugs are still not fixed).
The most dangerous vulnerabilities to use after releasing that could lead to the execution of attack code have been fixed in the drivers adutux, ff-memless, ieee802154, pn533, hiddev, iowarrior, mcba_usb and yurex.
Under CVE-2019-19532, 14 additional vulnerabilities are summarized in HID drivers due to out-of-bounds errors. Controllers ttusb_dec, pcan_usb_fd and pcan_usb_pro they encountered problems leading to data leakage from kernel memory. The USB stack code for working with character devices has identified an issue (CVE-2019-19537) caused by a race condition.
In Linux kernel prior to 5.3.7, there is a usage error that can be caused by a malicious USB device en drivers / usb / misc / adutux.c, also known as CID-44efc269db79.
In Linux kernel prior to 5.3.12, there is a usage error that can be caused by a malicious USB device in /input/ff-memless.c driver, also known as CID-fa3a5a1880c9.
In the Linux kernel prior to 5.3.9, there are multiple out of bounds write errors that can be caused by a malicious USB device in Linux kernel HID drivers, also known as CID-d9d4b1e46d95. This affects:
drivers / hid / hid-axff.c, drivers / hid / hid-dr.c, drivers / hid / hid-emsff.c
drivers / hid / hid-gaff.c, drivers / hid / hid-holtekff.c
drivers / hid / hid-lg2ff.c, drivers / hid / hid-lg3ff.c
drivers / hid / hid-lg4ff.c, drivers / hid / hid-lgff.c
drivers / hid / hid-logitech-hidpp.c, drivers / hid / hid-microsoft.c
drivers / hid / hid-sony.c, drivers / hid / hid-tmff.c
drivers / hid / hid-zpff.c.
We can also observe the identification of four vulnerabilities (CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901) on the controller for Marvell wireless chips, which can cause a buffer overflow.
An attack can be carried out remotely sending frames framed in a certain way when connecting to an attacker's wireless access point. The most likely threat is a remote denial of service (kernel crash), but the possibility of running code on the system is not ruled out.
At the moment the problems that remain uncorrected that were already disclosed several days ago in the distributions (Debian, Ubuntu, Fedora, RHEL, SUSE) are already working on correcting the errors. Although a patch has already been proposed for inclusion in the Linux Kernel for the next versions.