Numerous Vulnerabilities Discovered in Linux Kernel USB Subsystem

Andrey Konovalov, a researcher at the Google had found out the significant number of vulnerabilities in Linux kernel USB subsystem utilizing the Google Syzkaller fuzzer. Google’s fuzzing tool facilitated Konovalov and found tens of bugs containing twenty-two security flaws that have been allocated CVE identifiers. The expert presented the thorough details in a review published this week that he had discovered about fourteen vulnerabilities.

Konovalov described the vulnerabilities as use-after-free, common security fault, out-of-bounds read, and NULL pointer dereference concerns that can be utilized to source a denial-of-service (DoS) situation. Further, the expert stated few of the flaws might have a distinct influence as well, which naturally means they could let random code implementation.

The researcher also expressed that an attacker requires to have physical access to the aimed system and associate a malicious USB device so as to exploit the vulnerabilities. Some others recommended that an attacker who has faraway access to a machine may be capable to update the firmware on associated USB drives to position exploits for these faults and generate malicious devices.

Konovalov found quite many fixes for numerous vulnerabilities which are contained within Linux kernel versions 4.13.4 and later. Unfortunately, several issues still remain unpatched. On the contrary, Linux distributes ions do not appear too worried about such security and protection holes and allotted them low severity ratings.

The Google researcher not only discovered the flaws in Linux kernel but back in February, he also informed finding in the vicinity exploitable code execution flaw. It had been presented in the kernel for more than eleven years. This double-free susceptibility (CVE-2017-6074) was also distinguished by using the Syzkaller fuzzer. Even, he also revealed it this year in May about the facts of a privilege rapidly increase bug that could be considered unfair via packet sockets. A detailed analysis of quite many CVEs carried out the previous year and presented that the average period of a Linux kernel vulnerability is about five years.

Leave a Reply

Your email address will not be published. Required fields are marked *