Compliance Impact

The provided information does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in libusb versions before 1.0.30 in the parse_interface() function. It occurs when a malformed USB configuration descriptor is provided where an interface claims to have a positive number of endpoints (bNumEndpoints > 0) but is followed by a class-specific descriptor whose length exceeds the remaining buffer size. This causes parse_interface() to return early without allocating the endpoint array, leaving the endpoint pointer as NULL despite bNumEndpoints being greater than zero.

As a result, any application that iterates over the endpoints and dereferences this NULL pointer will crash. Attackers can exploit this by supplying crafted USB descriptors through virtualized USB passthrough, file-based descriptor parsing, or network sources.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is that it allows attackers to cause a denial-of-service (DoS) condition by crashing applications that use libusb to parse USB configuration descriptors. When an application attempts to access the endpoints of a malformed descriptor, it dereferences a NULL pointer, leading to a crash.

This can disrupt normal operation of software relying on libusb, potentially affecting device communication or other USB-related functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered by malformed USB configuration descriptors provided by attached devices or via virtualized USB passthrough, file-based descriptor parsing, or network sources. Detection involves identifying applications that crash due to NULL pointer dereferences when processing USB descriptors.

Since the issue occurs in the parse_interface() function of libusb when handling USB descriptors, monitoring application crashes related to USB device enumeration or descriptor parsing can help detect exploitation attempts.

No specific detection commands are provided in the available resources. However, fuzzing tools targeting libusb's descriptor parsers, such as the fuzz_descriptor_parsers.c fuzzer added in the libusb project, can be used by developers or security researchers to identify malformed descriptors causing crashes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade libusb to version 1.0.30 or later, where the vulnerability has been fixed.

The fix resets the bNumEndpoints field to zero before returning in the parse_interface() function to prevent NULL pointer dereferences, and corrects buffer length checks in parse_iad_array() to avoid out-of-bounds reads.

Until upgrading, avoid using untrusted or potentially malicious USB devices or virtualized USB passthrough sources that could supply malformed descriptors.

Useful 0 Not Useful 0