The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.
That’s just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.
Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.
Still, there are plenty of these ports around – like on your Linux-powered in-flight entertainment unit on an airplane, and on your Linux-powered Android handheld and ChromeOS laptop.
In an online discussion of the flaws, it was suggested that the WebUSB API might provide a way to take advantage of the bugs remotely, but Konovalov expressed skepticism.
Submitted by: Arnfried Walbrecht