CVE-2024-41035

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

NVD
RedHat

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor

Syzbot has identified a bug in usbcore (see the Closes: tag below)
caused by our assumption that the reserved bits in an endpoint
descriptor's bEndpointAddress field will always be 0. As a result of
the bug, the endpoint_is_duplicate() routine in config.c (and possibly
other routines as well) may believe that two descriptors are for
distinct endpoints, even though they have the same direction and
endpoint number. This can lead to confusion, including the bug
identified by syzbot (two descriptors with matching endpoint numbers
and directions, where one was interrupt and the other was bulk).

To fix the bug, we will clear the reserved bits in bEndpointAddress
when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1
specs say these bits are "Reserved, reset to zero".) This requires us
to make a copy of the descriptor earlier in usb_parse_endpoint() and
use the copy instead of the original when checking for duplicates.

A vulnerability was found in the usb_parse_endpoint() function in the Linux kernel's usb drivers, where improper handling of the reserved bits in an endpoint descriptor's bEndpointAddress field can lead to confusion in the endpoint_is_duplicate() routine in config.c. This will erroneously treat the same endpoint descriptors as distinct, given that the reserved bits are not properly cleared. This can potentially lead to unexpected behavior from connected USB devices.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-29 CVE Published
2024-07-30 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

CAPEC

References (18)

URL	Tag	Source
https://git.kernel.org/stable/c/0a8fd1346254974c3a852338508e4a4cddbb35f1	Vuln. Introduced
https://git.kernel.org/stable/c/c3726b442527ab31c7110d0445411f5b5343db01	Vuln. Introduced
https://git.kernel.org/stable/c/15668b4354b38b41b316571deed2763d631b2977	Vuln. Introduced
https://git.kernel.org/stable/c/8597a9245181656ae2ef341906e5f40af323fbca	Vuln. Introduced
https://git.kernel.org/stable/c/264024a2676ba7d91fe7b1713b2c32d1b0b508cb	Vuln. Introduced
https://git.kernel.org/stable/c/b0de742a1be16b76b534d088682f18cf57f012d2	Vuln. Introduced
https://git.kernel.org/stable/c/7cc00abef071a8a7d0f4457b7afa2f57f683d83f	Vuln. Introduced
https://git.kernel.org/stable/c/05b0f2fc3c2f9efda47439557e0d51faca7e43ed	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b	2024-07-18
https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78	2024-07-18
https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf	2024-07-18
https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188	2024-07-18
https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646	2024-07-18
https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64	2024-07-18
https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7	2024-07-18
https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47	2024-07-03

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-41035	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2300402	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.19.318 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.19.318"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 5.4.280 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.4.280"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 5.10.222 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.10.222"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 5.15.163 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.15.163"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 6.1.100 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.1.100"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 6.6.41 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.6.41"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 6.9.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.9.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.2.87 Search vendor "Linux" for product "Linux Kernel" and version "3.2.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.10.106 Search vendor "Linux" for product "Linux Kernel" and version "3.10.106"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.12.70 Search vendor "Linux" for product "Linux Kernel" and version "3.12.70"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.16.42 Search vendor "Linux" for product "Linux Kernel" and version "3.16.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.1.39 Search vendor "Linux" for product "Linux Kernel" and version "4.1.39"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.4.42 Search vendor "Linux" for product "Linux Kernel" and version "4.4.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.9.3 Search vendor "Linux" for product "Linux Kernel" and version "4.9.3"		en		Affected