When handling an USB request, the code attempts to store the request into memory. If the requested memory can't be allocated, the code will allocate some. As long as the allocated memory is released though, the bug will remain present. This allows an attacker controlled request to be stored, leading to a remote code execution. As this bug exists in the USB subsystem, it can be exploited by any user on the system. The user only needs to create an USB request, send the packet, and then release the memory. This happens within the task receiving the packet. The task can then access an unmapped area of memory, causing a remote code execution. Due to the nature of USB devices, most of them are plugged in for permanent use, causing even more danger. In this case, the attacker doesn't even need to be on the same network as the victim. This is because the attacker doesn't need to be, as the attacker doesn't even need to be in the same physical location as the victim. This makes this flaw even more dangerous, as even a small delay between sending and receiving the packet can cause the attacker to be long gone. This bug has been present since USB devices were first accessed by the kernel. This means that it has been present in all Linux distributions that have included the USB subsystem. Due to the fact that this is a security issue, most Linux distributions have released updates to fix this issue.

References

Vulnerability Discovered in Linux

A vulnerability has been discovered in the Linux kernel that allows an attacker to execute arbitrary code on a target system. This vulnerability exists because of a bug present in the USB subsystem and can be exploited by any user with root privileges on the system. It is recommended that all Linux systems use this update, as it is being included in most major distributions.

Timeline

Published on: 04/03/2022 21:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC

References