CVE-2020-15137

Name of the Vulnerable Software and Affected Versions HoRNDIS versions (affected versions not specified)

Description The issue is caused by an integer overflow in the RNDIS packet parsing routines, allowing a malicious USB device to trigger disclosure of unrelated kernel memory to userspace applications on the host or cause the kernel to crash. Kernel memory disclosure is more likely on 32-bit kernels, while 64-bit kernels are more likely to crash during attempted exploitation. The vulnerability is located in the HoRNDIS::receivePacket function, where variables msg len, data ofs, and data len can be controlled by an attached USB device. A negative value of data ofs can bypass the check for (data ofs + data len + 8) > msg len, leading to a wild pointer copy in the mbuf copyback call.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of HoRNDIS to only trusted USB devices, especially in multi-tenant systems.