CVE-2017-15102 in Linux
Summary
by MITRE
The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/10/2023
The vulnerability described in CVE-2017-15102 represents a critical privilege escalation flaw within the Linux kernel's USB subsystem, specifically affecting versions prior to 4.8.1. This issue resides in the tower_probe function located within drivers/usb/misc/legousbtower.c, which handles communication with certain USB devices. The vulnerability's exploitation requires physical proximity and the ability to insert a crafted USB device, making it a targeted attack vector that leverages both hardware manipulation and kernel-level programming errors. The attack scenario involves an attacker with physical access to a system who can introduce a malicious USB device that triggers the vulnerable code path.
The technical root cause of this vulnerability stems from a complex sequence of programming errors that create a write-what-where condition. The flaw occurs after a race condition and subsequent NULL pointer dereference, creating a window where malicious data can be written to arbitrary memory locations. This write-what-where condition is particularly dangerous because it allows an attacker to overwrite critical kernel memory structures or function pointers, effectively enabling code execution with kernel privileges. The vulnerability is classified as a race condition (cwe-362) combined with a NULL pointer dereference (cwe-476) that together create a privilege escalation path.
From an operational perspective, this vulnerability poses significant risk to systems where physical security is compromised, such as workstations, servers, or embedded devices that might be accessible to unauthorized individuals. The requirement for physical proximity means that while the attack surface is limited compared to network-based exploits, it remains a serious concern for environments where device insertion is possible, including public computers, kiosks, or systems in shared workspaces. The attack can result in complete system compromise, as successful exploitation leads to privilege escalation from user level to kernel level, enabling full system control. This vulnerability aligns with attack techniques described in the attack pattern taxonomy under the category of physical access attacks that leverage kernel vulnerabilities.
The mitigation strategy for CVE-2017-15102 involves upgrading to Linux kernel version 4.8.1 or later, where the vulnerability has been addressed through proper synchronization mechanisms and NULL pointer checks. Additionally, system administrators should implement physical security measures to prevent unauthorized USB device insertion, such as disabling USB ports when not needed or implementing USB device whitelisting policies. The fix in the kernel addresses the race condition by ensuring proper locking mechanisms and adds validation checks to prevent NULL pointer dereference scenarios. Organizations should also consider implementing USB device management policies and monitoring systems to detect suspicious USB device connections, as this vulnerability represents a classic example of how physical access can be leveraged for kernel-level privilege escalation attacks.