Several academics have said 26 new vulnerabilities have been found in the USB drive stack used by operating systems such as Linux, macOS, Windows and FreeBSD. The team, led by Hui Peng of Purdue University and Mathias Payer of the Swiss Federal Institute of Technology in Lausanne, discovered all the vulnerabilities through USBFuzz, a new tool they created.
Photo by WiKiMedia
Such tools are called “fuzzers” by team members. Fuzzer is a collection of applications that help security researchers enter large amounts of invalid, unexpected, or random data into other applications. Security researchers then analyze the behavior of the software being tested to uncover new bugs, some of which can be exploited maliciously.
To test USB drivers, Peng and Payer jointly developed USBFuzz, a new fuzzer designed to test the USB-driven stack of modern operating systems. “At its core, USBFuzz uses software-simulated USB devices to provide drivers with random device data when they perform IO operations,” the researchers said. “
“Because the usb device smulbesing is working at the device level, it’s straightforward to port it to other platforms,” the team said. “This allows the research team to test USBFuzz not only on Linux, but also on other operating systems.
The researchers said they tested USB Fuzz on the following platforms.
9 latest versions of the Linux kernel: v4.14.81, v4.15, v4.16, v4.17, v4.18.19, v4.19, v4.19, v4.19.2 and v4.20-rc2 (when evaluating the latest version).
FreeBSD 12 (latest version)
MacOS 10.15 Catalina (latest version)
Windows (versions 8 and 10 with the latest security updates installed)
After testing, the team said they found 26 new bugs with the help of USBFuzz.
The researchers found a bug in FreeBSD, three in Mac OS (two that caused unplanned reboots, one for system freezes) and four in Windows 8 and Windows 10 (causing death blue screens).
The most serious is for Linux, a total of 18. Sixteen of them are high-risk memory vulnerabilities for Linux subsystems (USB core, USB sound and net-work), and one is USB for Linux
Host master drive, and one is a USB camera drive.
Peng and Payer said they reported the bugs to the Linux kernel team and suggested patches to ease the “burden of kernel developers fixing reported vulnerabilities.”
The team said 11 of the 18 Linux vulnerabilities had received patches since they were first reported last year. Of the 11 bugs, 10 also received CVE, a unique code assigned to a major security vulnerability.
Related paper “USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation” can be found here and here.