A Google code security researcher’s recent discovery of 14 flaws in Linux kernel USB drivers led to last-minute fixes in the Linux 4.14 release candidate code set for distribution on Sunday.
The flaws, which Google researcher Andrey Konovalov disclosed earlier this week, affect the Linux kernel before version 4.13.8.
All 14 have available fixes. However, they are part of a much larger group of 79 flaws affecting the Linux kernel’s USB drivers, some of which remain unpatched.
Within this larger group of coding flaws, 22 now have a Common Vulnerabilities and Exposures number, and fixes are available for them.
However, many of the flaws have not been fixed, according to Konovalov.
Konovalov found the flaws using a kernel fuzzer called “syzkaller,” created by another Google security researcher, Dmitry Vyukov. The technique involves throwing large volumes of random code at a target piece of software in an attempt to cause crashes.
“All of the exploits require physical access to a computer, so the attack vector is limited to social engineering engagements,” noted Russ Wickless, a senior penetration tester at Schellman & Company.
“None of these look like they can be deployed over the Internet,” he told LinuxInsider.
Attackers must have physical access to the computer in order to carry out the attack, Konovalov confirmed.
The flaws also can be used to hack the air-gapped systems that are not connected to the Internet, he warned, but compromised USBs are the only means of infecting a machine with exploit code.
The 14 latest kernel flaws involve faults with specific parts of the USB subsystems. Each of them allows local users to cause a denial of service or possibly have unspecified other impacts initiated from a crafted USB device. A few of the flaws can be exploited to execute code in the kernel.
Konovalov initially reported the first of the 79 bugs last December via a Google Groups mailing list. He continued updating the group with new findings throughout this year. Among those he notified were Google, Linux kernel developers, Intel and The Linux Foundation.
“Some of the issues simply freeze or cause a system to reboot, which is potentially less damaging,” said Chris Roberts, chief security architect at Acalvio.
“This is all depending upon where and what the target machine is doing,” he told LinuxInsider.
Overhauling the Linux kernel USB subsystem is probably the best place to start to address these problems, Roberts said, adding that it is one area that has been known to have issues for a while.
One of the basic approaches to cleaning up the kernel flaws is to apply best practices, suggested Dodi Glenn, VP of cyber security at PC Matic.
“These problems need to be addressed by continuing to scan source code for vulnerabilities and patching the holes as quickly as possible,” he told LinuxInsider.
That best practices approach needs to extend to the users as well, suggested Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust.
“From a Linux user perspective, adopt a clear USB hygiene approach. Do not insert USB devices of unknown origin, and do not leave USB drives attached — even after these vulnerabilities have been mitigated,” he told LinuxInsider.
Who Owns the Fixing?
In this case, it is the community maintainers of this area of kernel code who are responsible for fixing the flaws, said Mike Kail, CTO of Cybric.
However, this problem is not unique to Linux security, he pointed out.
“It simply exposes the lack, once again, of continuous security testing,” Kail told LinuxInsider.
Responsibility for the Linux kernel does not fall to the individual distros, but to the kernel community at large, said Schellman & Company’s Wickless. It is mostly a matter of keeping the distro’s package manager up to date.
Anyone can submit a patch to the kernel, he said.
Linux on Display
Despite recent bad publicity about Linux vulnerabilities, Linux is still the most secure operating system for servers and users alike, Wickless maintained.
“If these would have been remote code execution bugs, that would have given me cause for worry,” he added.
Because any operating system today is massively complex and written by humans, errors will exist in the code. Linux is served by a massive community working hard to close off vulnerabilities and improve the code, while also continuing to develop and enhance the operating system, according to BeyondTrust’s Chappell.
“Linux still remains a good option for a secure environment. Like all systems, physical access should always be tightly controlled and monitored,” he said.
What this says about Linux depends on one’s point of view, suggested Chris Morales, head of security analytics at Vectra.
The positive perspective is that the community constantly reviews Linux source code and is able to respond before attackers do, he told LinuxInsider. “The negative view is that open source code is not maintained regularly and depends on an army of volunteers to keep safe. The truth is somewhere in between.”