Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in libusb versions before 1.0.30 in the parse_iad_array() function within descriptor.c. It is a one-byte out-of-bounds read caused by improper bounds checking. Specifically, when a malformed USB descriptor has a bLength value equal to the remaining buffer size minus one, the function incorrectly uses the original buffer size for its bounds check instead of the remaining size. This allows an attacker to read one byte past the allocated memory buffer.

The vulnerability can be triggered by supplying crafted USB descriptors, especially in virtualized environments with USB passthrough, through APIs like libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors. This out-of-bounds read can lead to a denial of service, such as application crashes.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). An attacker can cause applications using vulnerable libusb versions to crash by supplying malformed USB descriptors that trigger the out-of-bounds read.

This is particularly relevant in virtualized environments where USB passthrough is enabled, as attackers can supply crafted descriptors through the USB interface to exploit this flaw.

While the out-of-bounds read is only one byte and may be silent on standard memory allocators, it can cause crashes or DoS in hardened environments such as those using AddressSanitizer or other memory safety tools.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered by malformed USB descriptors supplied by attached devices, particularly in virtualized environments with USB passthrough. Detection involves monitoring USB device descriptors for malformed or suspicious values, especially descriptors where the bLength field equals the size minus one, which can cause out-of-bounds reads.

Since the vulnerability occurs in libusb's descriptor parsing functions, one approach is to use fuzzing tools or specialized tests targeting USB descriptor parsing to identify vulnerable behavior.

No specific commands are provided in the resources, but general detection steps could include:

• Using USB device enumeration tools (e.g., lsusb on Linux) to inspect device descriptors for irregularities.
• Running fuzzing tests against libusb descriptor parsers, such as the fuzz_descriptor_parsers.c fuzzer introduced in the libusb project.
• Monitoring application crashes or denial-of-service symptoms related to USB device interactions, especially in hardened environments like those using AddressSanitizer.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade libusb to version 1.0.30 or later, where the vulnerability has been fixed.

The fix addresses the out-of-bounds read by correcting the bounds checking in the parse_iad_array() function and ensuring consistent handling of malformed USB descriptors.

Until the upgrade can be applied, consider restricting or disabling USB passthrough in virtualized environments to prevent attackers from supplying crafted descriptors.

Additionally, monitor systems for crashes or denial-of-service symptoms related to USB device interactions and avoid connecting untrusted USB devices.

Useful 0 Not Useful 0