Google Syzkaller fuzzer allowed to discover several flaws in Linux USB Subsystem

Pierluigi Paganini November 08, 2017

The Google researcher Andrey Konovalov discovered several vulnerabilities in the Linux kernel USB subsystem using the Google Syzkaller fuzzer.

Google researcher Andrey Konovalov has discovered many security vulnerabilities in Linux USB Subsystem.

The expert used a fuzzing tool developed by Google dubbed Syzkaller fuzzer, he discovered tens of vulnerabilities, including 22 security flaws.

Konovalov published a detailed analysis of 14 vulnerabilities that have been classified as use-after-free, general protection fault, out-of-bounds read, and NULL pointer dereference issues. An attacker can trigger the vulnerabilities to cause a denial-of-service (DoS) condition, one of the issues might be exploited to execute an arbitrary code.

The expert pointed out that an attacker needs to have physical access to the targeted system and connect a malicious USB device to trigger the vulnerabilities.

“Below are the details for 14 vulnerabilities found with syzkaller in the Linux kernel USB subsystem. All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.” reads the security advisory.


Other experts who replied to the advisory pointed out that an attacker who has remote access to a machine may be able to update the firmware on connected USB drives to plant exploits for these flaws and create malicious devices.

“Perhaps not only in that case, but also in case an attacker has remote access to a USB device (perhaps most commonly via remote access to the machine, with privileges to access the USB device) sufficient to replace that device’s firmware (thereby crafting a malicious device).” suggested one of the users.

For example, many USB-connected FPGA boards, Bitcoin miners (“ASICs”), etc. may reasonably be made available to a non-root user (such as via udev rules), and they commonly permit microcontroller firmware update to be performed via USB as well. John the Ripper bleeding-jumbo currently loads firmware into MCUs on ZTEX 1.15y boards at startup (if the firmware in EEPROM is different), and we recommend running it as non-root with udev rules setup to grant access to non-root users in group “ztex” (this setup is described in doc/README-ZTEX).”

Linux kernel versions 4.13.4 and later address many of the vulnerabilities found by Konovalov, unfortunately many of the bugs remain unpatched.

Back in February, the Google researcher discovered a local privilege escalation vulnerability tracked as CVE-2017-6074 that it is an 11-year old flaw.

The flaw was discovered by Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation the same kernel fuzzing tool Syzkaller.

The privilege-escalation issue was affecting all the major Linux distro, including Debian, OpenSUSE, Redhat, and Ubuntu.

In May, Konovalov reported a privilege escalation bug tracked as CVE-2017-7308 that could be exploited via packet sockets.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux USB Subsystem, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment