A flaw was found in the Linux kernel where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who is able to hot plug at least two devices of this class can cause a a use-after-free situation. This affects the generic character device layer devices and not a specific device driver. References: http://www.openwall.com/lists/oss-security/2019/12/03/4 http://seclists.org/oss-sec/2019/q4/115 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.10 Upstream Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=303911cfc5b95d33687d9046133ff184cf5043ff
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1783563]
This was fixed for Fedora with the 5.2.10 stable kernel updates.
While I do understand the race condition that leads to this, it would be somewhat difficult to exploit this flaw with physical access. Timing physical control of the removal of devices to this level would be harder than you think (I tried ~100 times and maybe I'm just bad at it). The other, and more likely method would be using USB over ip ( https://www.kernel.org/doc/readme/tools-usb-usbip-README ), which I had also attempted ~65,000 times, it didnt trigger on my system even after trying multiple different ways of forcing the race condition. Using this method required root access to attach/detach, with these permissions this attack vector is somewhat contrived. I'm proposing this be fixed in relevant y streams, I dont think its usable enough as an attack vector for z stream immediate fix.
Mitigation: Many Character devices can trigger this flaw as they leverage the lower levels of the USB subsystem. The safest method that I have found would be to disable USB ports that are able to be attacked using this method, disable them first by disallowing them from waking up from low-power states with the command (Replace X with the port number available). echo disabled >> /sys/bus/usb/devices/usbX/power/wakeup The system must also disable the specific ports power after with the command: echo suspend | sudo tee /sys/bus/usb/devices/usbX/power/level This change not persist through system reboots and must be applied at each reboot to be effective.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19537
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609