CVE-2017-17558 Information

Feb 14, 2021 cve

Description

The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.

CVSS Vector

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html http://openwall.com/lists/oss-security/2017/12/12/7 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1190 https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html https://usn.ubuntu.com/3619-1/ https://usn.ubuntu.com/3619-2/ https://usn.ubuntu.com/3754-1/ https://www.debian.org/security/2017/dsa-4073 https://www.debian.org/security/2018/dsa-4082 https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.spinics.net/lists/linux-usb/msg163644.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.6

Share on: