Linux USB Audio Driver Vulnerability Actively Exploited in the Wild Via Malicious USB

A critical vulnerability in the USB-audio driver, which could lead to out-of-bounds memory reads, has been addressed by a recent patch to the Linux kernel, authored by Takashi Iwai of SUSE.

The USB-audio driver in the Linux kernel has an out-of-bounds access vulnerability that possibly enables an attacker with physical access to the system to use a malicious USB device to escalate privileges, modify system memory, or run arbitrary code.

Linux Kernel Update Fixes USB Audio Vulnerability The fix, committed by Greg Kroah-Hartman of the Linux Foundation on December 14, 2024, enhances the driver’s stability and security for systems using USB audio devices.

How the Attack Works

The vulnerability arises when a USB audio device provides a descriptor with a bLength value shorter than the expected structure size. In the original code, the driver blindly assumed the descriptor was complete and attempted to read its fields, such as clock IDs or pin arrays.

If the descriptor was truncated either due to a hardware flaw or deliberate manipulation the driver could read past the allocated memory buffer into adjacent, unintended areas.

This out-of-bounds read could leak sensitive data from the kernel’s memory, like pointers or user information, or cause a system crash by accessing invalid memory addresses.

In a worst-case scenario, a skilled attacker could chain this with other exploits to escalate privileges or execute arbitrary code, though such an attack would require precise control over the USB device and additional vulnerabilities.

“This update is a proactive step to safeguard Linux systems interfacing with USB audio hardware,” said Iwai in the patch notes. The fix has been backported to stable kernel branches, ensuring that users across various distributions can benefit from the enhanced security.

The clock selector descriptor, which includes a variable-length array and additional fields, receives an even more thorough validation to account for its complexity across USB Audio Class (UAC) versions 2 and 3.

Strengthening USB Audio Security

The issue stemmed from the driver’s failure to verify the bLength field of clock descriptors provided by USB audio devices.

Without these checks, a malformed or maliciously crafted descriptor with an insufficient length could trigger memory access beyond allocated bounds, potentially crashing the system or exposing it to exploitation.

This vulnerability was first reported by Benoît Sevens of Google, highlighting its significance for the broader Linux community.

The patch, identified as commit ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9, introduces rigorous sanity checks within the clock descriptor validation functions.

The change modifies just 24 lines in the sound/usb/clock.c file, yet its impact is significant for audiophiles, developers, and enterprises relying on Linux for audio processing.

Users are encouraged to update their kernels to incorporate this patch, available for download as linux-ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9.tar.gz.

This development underscores the ongoing commitment of the Linux community to address vulnerabilities swiftly and maintain the operating system’s reputation for robustness and reliability.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates