Bug 1783561 (CVE-2019-19537) - CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer
Summary: CVE-2019-19537 kernel: race condition caused by a malicious USB device in the...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1686205 1783563 1785064 1785065 1785066 1785067 1785068 1785273
Blocks: 1783565
TreeView+ depends on / blocked
 
Reported: 2019-12-13 21:52 UTC by msiddiqu
Modified: 2023-12-15 17:05 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:59:17 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:09:55 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:08:26 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:13:54 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:12:17 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:51:14 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:52:49 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:58:53 UTC
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:50:16 UTC
Red Hat Product Errata RHSA-2020:4609 0 None None None 2020-11-04 02:22:18 UTC

Description msiddiqu 2019-12-13 21:52:50 UTC
A flaw was found in the Linux kernel where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who is able to hot plug at least two devices of this class can cause a a use-after-free situation.

This affects the generic character device layer devices and not a specific device  driver.

References: 

http://www.openwall.com/lists/oss-security/2019/12/03/4
http://seclists.org/oss-sec/2019/q4/115
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.10

Upstream Patch:
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=303911cfc5b95d33687d9046133ff184cf5043ff

Comment 1 msiddiqu 2019-12-13 21:53:22 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1783563]

Comment 2 Justin M. Forbes 2019-12-16 17:21:23 UTC
This was fixed for Fedora with the 5.2.10 stable kernel updates.

Comment 3 Wade Mealing 2019-12-18 08:05:51 UTC
While I do understand the race condition that leads to this, it would be somewhat difficult to exploit this flaw with physical access.   Timing physical control of the removal of devices to this level would be harder than you think (I tried ~100 times and maybe I'm just bad at it). 

The other, and more likely method would be using USB over ip ( https://www.kernel.org/doc/readme/tools-usb-usbip-README ), which I had also attempted ~65,000 times, it didnt trigger on my system even after trying multiple different ways of forcing the race condition.    Using this method required root access to attach/detach, with these permissions this attack vector is somewhat contrived.

I'm proposing this be fixed in relevant y streams, I dont think its usable enough as an attack vector for z stream immediate fix.

Comment 6 Wade Mealing 2019-12-19 02:29:37 UTC
Mitigation:

Many Character devices can trigger this flaw as they leverage the lower levels of the USB subsystem.

The safest method that I have found would be to disable USB ports that are able to be attacked
using this method, disable them first by disallowing them from waking up from low-power states 
with the command (Replace X with the port number available).

echo disabled >> /sys/bus/usb/devices/usbX/power/wakeup 

The system must also disable the specific ports power after with the command:

echo suspend | sudo tee /sys/bus/usb/devices/usbX/power/level

This change not persist through system reboots and must be applied at each reboot to be effective.

Comment 11 errata-xmlrpc 2020-09-29 18:58:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 12 errata-xmlrpc 2020-09-29 20:52:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 13 Product Security DevOps Team 2020-09-29 21:59:17 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19537

Comment 29 errata-xmlrpc 2020-11-04 00:50:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431

Comment 30 errata-xmlrpc 2020-11-04 02:22:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609


Note You need to log in before you can comment on or make changes to this bug.