[gentoo-user] Linux USB security holes.

[gentoo-user] Linux USB security holes.

[Dale]

Howdy,

I ran up on this link.  Is there any truth to it and should any of us
Gentooers be worried about it?

http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 

Isn't Linux supposed to be more secure than this??

Dale

:-)  :-) 

Re: [gentoo-user] Linux USB security holes.

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

On Wed, Nov 8, 2017 at 4:08 PM, Dale <rdalek1967@gmail.com> wrote:

> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>

Its sensible to think of anything that's been assigned a CVE number as
real.

>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>
> Isn't Linux supposed to be more secure than this??


It is what it is.

[-- Attachment #2: Type: text/html, Size: 1025 bytes --]

Re: [gentoo-user] Linux USB security holes.

[R0b0t1]

On Tue, Nov 7, 2017 at 11:08 PM, Dale <rdalek1967@gmail.com> wrote:
> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>
> Isn't Linux supposed to be more secure than this??
>

In theory. There was no comment on the existence of such bugs in the
Windows driver stack, but they likely exist. However, note:

"The impact is quite limited, all the bugs require physical access to
trigger," said Konovalov. "Most of them are denial-of-service, except
for a few that might be potentially exploitable to execute code in the
kernel."

Which is typically what one should expect from bugs discovered by fuzzing.

These are issues which should be fixed, but keep in mind that there
has been (and still is) lots of kernel development that focuses on
isolating the kernel from itself. The reporting of these bugs will
likely be used to make those mechanisms even better.


To compare, here is an "exploit" discovered in a monitor:
https://github.com/RedBalloonShenanigans/MonitorDarkly.

The prerequisites include having debug access to the monitor's
controller. Personally I am surprised this was presented at DefCon as
it does not really seem appropriate. At least the articles covering
the code should be reworded - it's exploiting the monitor almost the
same way you can exploit a car by driving it.

More and more security releases are starting to look like the above,
as the researchers and authors clamor for notability, which is
increasingly hard to find. I think the article you found strikes a
middle ground - the exploits are relevant in practice, but take a lot
of work to use.

Cheers,
     R0b0t1

[gentoo-user] Re: Linux USB security holes.

[Grant Edwards]

On 2017-11-08, R0b0t1 <r030t1@gmail.com> wrote:
> On Tue, Nov 7, 2017 at 11:08 PM, Dale <rdalek1967@gmail.com> wrote:
>> Howdy,
>>
>> I ran up on this link.  Is there any truth to it and should any of us
>> Gentooers be worried about it?
>>
>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>
>> Isn't Linux supposed to be more secure than this??
>>
>
> In theory. There was no comment on the existence of such bugs in the
> Windows driver stack, but they likely exist. However, note:
>
> "The impact is quite limited, all the bugs require physical access to
> trigger," said Konovalov. "Most of them are denial-of-service, except
> for a few that might be potentially exploitable to execute code in the
> kernel."

Expecting a machine to be immune from DoS attacks by somebody who is
allowed to touch the machine is indeed delusion on a pretty grand
scale.  Expecting a machine to be immune to other non-DoS attacks when
they can touch the machine is moderately deluded.

-- 
Grant Edwards               grant.b.edwards        Yow! Don't hit me!!  I'm in
                                  at               the Twilight Zone!!!
                              gmail.com            

Re: [gentoo-user] Linux USB security holes.

[J. Roeleveld]

On 8 November 2017 06:08:21 GMT+01:00, Dale <rdalek1967@gmail.com> wrote:
>Howdy,
>
>I ran up on this link.  Is there any truth to it and should any of us
>Gentooers be worried about it?
>
>http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
>
>Isn't Linux supposed to be more secure than this??
>
>Dale
>
>:-)  :-) 

From what I read, you need physical access.
And I am not certain what you need to do to the firmware on the USB device to trigger this.

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[gentoo-user] Re: Linux USB security holes.

[Ian Zimmerman]

On 2017-11-08 05:53, J. Roeleveld wrote:

> From what I read, you need physical access.

According to Solar, for whom I have developed great respect, this is not
necessarily so:

http://www.openwall.com/lists/oss-security/2017/11/08/5

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: Linux USB security holes.

[J. Roeleveld]

On Wednesday, November 8, 2017 8:35:37 PM CET Ian Zimmerman wrote:
> On 2017-11-08 05:53, J. Roeleveld wrote:
> > From what I read, you need physical access.
> 
> According to Solar, for whom I have developed great respect, this is not
> necessarily so:
> 
> http://www.openwall.com/lists/oss-security/2017/11/08/5

I stand corrected. Forgot about this possible avenue. But this will still 
require the person already has access to the system.
I think for most users with just a personal desktop, this is less likely.

It does bring another possible access, most servers have iKVM/IPMI systems 
installed for remote management. Those also allow USB devices to be connected 
over network. I would, however, class access to these parts of the system as 
"physical" access.

--
Joost

Re: [gentoo-user] Linux USB security holes.

[Dale]

Dale wrote:
> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
>
> Isn't Linux supposed to be more secure than this??
>
> Dale
>
> :-)  :-) 
>


To reply to all that posted so far.  I did see that it requires physical
access, like a lot of other things.  Once a person has physical access,
there are a number of things that can go wrong. 

It does seem to be one of those things that while possible, has anyone
been able to do it in the real world and even without physical access? 
Odds are, no. 

Still, all things considered, Linux is pretty secure.  BSD is more
secure from what I've read but Linux is better than windoze. 

Dale

:-)  :-) 

Re: [gentoo-user] Linux USB security holes.

[R0b0t1]

On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1967@gmail.com> wrote:
> Dale wrote:
>> Howdy,
>>
>> I ran up on this link.  Is there any truth to it and should any of us
>> Gentooers be worried about it?
>>
>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>
>> Isn't Linux supposed to be more secure than this??
>>
>> Dale
>>
>> :-)  :-)
>>
>
>
> To reply to all that posted so far.  I did see that it requires physical
> access, like a lot of other things.  Once a person has physical access,
> there are a number of things that can go wrong.
>
> It does seem to be one of those things that while possible, has anyone
> been able to do it in the real world and even without physical access?
> Odds are, no.
>

The most widely publicized example is STUXNET. There are also reports
that malicious USB keys with driver-level exploits are sometimes used
for industrial espionage.

The key point being that in either case, someone is spending a lot of
money to research and set up a plausible attack.

> Still, all things considered, Linux is pretty secure.  BSD is more
> secure from what I've read but Linux is better than windoze.
>
> Dale
>
> :-)  :-)
>

Re: [gentoo-user] Linux USB security holes.

[R0b0t1]

On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 <r030t1@gmail.com> wrote:
> On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1967@gmail.com> wrote:
>> Dale wrote:
>>> Howdy,
>>>
>>> I ran up on this link.  Is there any truth to it and should any of us
>>> Gentooers be worried about it?
>>>
>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>
>>> Isn't Linux supposed to be more secure than this??
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
>>
>>
>> To reply to all that posted so far.  I did see that it requires physical
>> access, like a lot of other things.  Once a person has physical access,
>> there are a number of things that can go wrong.
>>
>> It does seem to be one of those things that while possible, has anyone
>> been able to do it in the real world and even without physical access?
>> Odds are, no.
>>
>
> The most widely publicized example is STUXNET. There are also reports
> that malicious USB keys with driver-level exploits are sometimes used
> for industrial espionage.
>
> The key point being that in either case, someone is spending a lot of
> money to research and set up a plausible attack.
>
>> Still, all things considered, Linux is pretty secure.  BSD is more
>> secure from what I've read but Linux is better than windoze.
>>
>> Dale
>>
>> :-)  :-)
>>

I suppose I should add that once the basic work has been done for an
exploit like this it will have great reproducibility. But at that
level you are (usually) talking about very well funded actors, and one
should also be worried about controller-level exploits that would be
much harder to discover from an operating system.

If you can't surround your computer with trustworthy armed guards,
assume you suffer from a serious vulnerability based on the
preliminary work the article is talking about.

Rainbows and Sunshine,
     R0b0t1

Re: [gentoo-user] Linux USB security holes.

[Dale]

R0b0t1 wrote:
> On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 <r030t1@gmail.com> wrote:
>> On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1967@gmail.com> wrote:
>>> Dale wrote:
>>>> Howdy,
>>>>
>>>> I ran up on this link.  Is there any truth to it and should any of us
>>>> Gentooers be worried about it?
>>>>
>>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>>
>>>> Isn't Linux supposed to be more secure than this??
>>>>
>>>> Dale
>>>>
>>>> :-)  :-)
>>>>
>>>
>>> To reply to all that posted so far.  I did see that it requires physical
>>> access, like a lot of other things.  Once a person has physical access,
>>> there are a number of things that can go wrong.
>>>
>>> It does seem to be one of those things that while possible, has anyone
>>> been able to do it in the real world and even without physical access?
>>> Odds are, no.
>>>
>> The most widely publicized example is STUXNET. There are also reports
>> that malicious USB keys with driver-level exploits are sometimes used
>> for industrial espionage.
>>
>> The key point being that in either case, someone is spending a lot of
>> money to research and set up a plausible attack.
>>
>>> Still, all things considered, Linux is pretty secure.  BSD is more
>>> secure from what I've read but Linux is better than windoze.
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
> I suppose I should add that once the basic work has been done for an
> exploit like this it will have great reproducibility. But at that
> level you are (usually) talking about very well funded actors, and one
> should also be worried about controller-level exploits that would be
> much harder to discover from an operating system.
>
> If you can't surround your computer with trustworthy armed guards,
> assume you suffer from a serious vulnerability based on the
> preliminary work the article is talking about.
>
> Rainbows and Sunshine,
>      R0b0t1
>
>


I've considered encrypting my stuff.  I'm talking locked down from power
up all the way through.  Those who have been on this list a while and
know me, they know that would be a disaster.  If anything could go wrong
with it, it would. 

While I try to be secure, I'm not going nuts over it.  I do lock my
screen if I leave and sometimes even logout but I don't put hand
grenades and other booby traps around it.  Heck, if I did, I'd likely
trip up and hurt myself.  Ooops!!

I guess I'll just kept my top secret stuff in my head.  ;-) 

Dale

:-)  :-) 

Re: [gentoo-user] Linux USB security holes.

[Taiidan]

You can forward your USB controllers to a VM
OR
Disable them in the BIOS

It is very easy to re-write a USB drive firmware via another virus on a 
poorly secured different computer so this doesn't really need physical 
access not that it would be difficult to simply have someone cause a 
scene and then have someone else walk by and insert a drive in to your 
laptop for a few seconds while you were distracted if you were a high 
profile target (politician, ceo, lawyer etc)

Re: [gentoo-user] Linux USB security holes.

[Martin DiViaio]

[-- Attachment #1: Type: text/plain, Size: 2145 bytes --]

 There's an old saying: The only secure computer is one that is locked in a room, unplugged. Then again, that computer is only as secure as the lock on the door.


    On Wednesday, November 8, 2017, 1:48:43 AM EST, R0b0t1 <r030t1@gmail.com> wrote:  
 
 On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 <r030t1@gmail.com> wrote:
> On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1967@gmail.com> wrote:
>> Dale wrote:
>>> Howdy,
>>>
>>> I ran up on this link.  Is there any truth to it and should any of us
>>> Gentooers be worried about it?
>>>
>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>
>>> Isn't Linux supposed to be more secure than this??
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
>>
>>
>> To reply to all that posted so far.  I did see that it requires physical
>> access, like a lot of other things.  Once a person has physical access,
>> there are a number of things that can go wrong.
>>
>> It does seem to be one of those things that while possible, has anyone
>> been able to do it in the real world and even without physical access?
>> Odds are, no.
>>
>
> The most widely publicized example is STUXNET. There are also reports
> that malicious USB keys with driver-level exploits are sometimes used
> for industrial espionage.
>
> The key point being that in either case, someone is spending a lot of
> money to research and set up a plausible attack.
>
>> Still, all things considered, Linux is pretty secure.  BSD is more
>> secure from what I've read but Linux is better than windoze.
>>
>> Dale
>>
>> :-)  :-)
>>

I suppose I should add that once the basic work has been done for an
exploit like this it will have great reproducibility. But at that
level you are (usually) talking about very well funded actors, and one
should also be worried about controller-level exploits that would be
much harder to discover from an operating system.

If you can't surround your computer with trustworthy armed guards,
assume you suffer from a serious vulnerability based on the
preliminary work the article is talking about.

Rainbows and Sunshine,
    R0b0t1

  

[-- Attachment #2: Type: text/html, Size: 4542 bytes --]

Re: [gentoo-user] Linux USB security holes.

[Alan McKinnon]

On 08/11/2017 07:08, Dale wrote:
> Howdy,
> 
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
> 
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
> 
> Isn't Linux supposed to be more secure than this??



I would say the real problem is USB itself.

What is USB after all? It's a way of sticking any old random thing into
a socket and getting the computer to magically do stuff. So if the
system software then goes ahead and does stuff, it's only really
operating as designed and as spec'ed right?

Yes, those 40 holes are probably all true and quite possibly all
exploitable, and they should also be fixed. But the real problem is that
USB even exists at all.

btw, when you say "Isn't Linux supposed to be more secure than this??"
the answer is a resounding NO

The Linux=safe, Windows=notsafe delusion comes from the 90s when Windows
had no real security features at all, or even any realistic ways to
limit and control access. Linux had a Unix-style userland and kernel, so
you automatically got multi-user/multi-process with per-user
permissions. That alone, by itself, is probably the largest single
security advance in all of computing history. Everything else is icing.

There is nothing in Unix really that is "secure by design", and all von
Neumann machines are actually insecure by design


-- 
Alan McKinnon
alan.mckinnon@gmail.com