[Software] Necessary conditions to exploit CVE-2021-3612 (joystickdriver)

[poweruser181]

Hello
I was tasked with assessing the risk due to CVE-2021-3612 concerning some legacy machines.
When I checked the existing data to that flaw, I couldn't find much info on what an attacker needs to do on my systems to use that flaw, but [https://lists.debian.org/debian-lts-ann ... 00010.html] and similar other sources alike say this:

CVE-2021-3612

Murray McAllister reported a flaw in the joystick input subsystem.
A local user permitted to access a joystick device could exploit
this to read and write out-of-bounds in the kernel, which could
be used for privilege escalation.

Do I read this right, that for exploiting that, a joystick or a hardware device posing as such would need to be plugged into my machines?
Would the malicious actor need to be already on my systems as this mentions a local attacker?

If so, are servers, installed with minimal software and definitly no joysticks plugged in, even vulnerable?

Thanks in advance for advice.
Regards
P

[Enigma83]

Do you have any gaming controllers? Xbox, PlayStation, Logitech, etc? It seems that if the exploit targets joysticks, then not having that hardware attached to your PC would logically make you not at risk.

[fabien]

Hello,

some legacy machines.

What operating system? What kernel?

[wizard10000]

I couldn't find an answer to this question outside of AI so here's ChatGPT's response which you may or may not want to take with a grain of salt -

me

CVE-2021-3612 - does a linux machine need to have a joystick connected to be vulnerable?

ChatGPT

CVE-2021-3612 is a vulnerability affecting the Linux kernel's "Joy-Con HID driver" that could allow a local attacker to crash the system or execute arbitrary code. This vulnerability doesn't require an actual physical joystick to be connected to the machine for exploitation. The vulnerability lies in how the Linux kernel handles certain input events related to joysticks, specifically in the Joy-Con HID driver. Attackers could potentially exploit this vulnerability remotely or locally without the need for physical access to a joystick. Therefore, it's crucial to patch affected systems promptly to mitigate any potential risk.

[poweruser181]

Do you have any gaming controllers? Xbox, PlayStation, Logitech, etc? It seems that if the exploit targets joysticks, then not having that hardware attached to your PC would logically make you not at risk.

As those are virtual productive servers, the answer is no. However, I do not know how exactly the linux drivers work and when they get loaded, so I'm not sure whether this actually means that those machines are safe.

[poweruser181]

I couldn't find an answer to this question outside of AI so here's ChatGPT's response which you may or may not want to take with a grain of salt -

me

CVE-2021-3612 - does a linux machine need to have a joystick connected to be vulnerable?

ChatGPT

CVE-2021-3612 is a vulnerability affecting the Linux kernel's "Joy-Con HID driver" that could allow a local attacker to crash the system or execute arbitrary code. This vulnerability doesn't require an actual physical joystick to be connected to the machine for exploitation. The vulnerability lies in how the Linux kernel handles certain input events related to joysticks, specifically in the Joy-Con HID driver. Attackers could potentially exploit this vulnerability remotely or locally without the need for physical access to a joystick. Therefore, it's crucial to patch affected systems promptly to mitigate any potential risk.

Thanks for that. However, if I just ask chatGPT what that CVE is about without providing it any additional Information, it starts to hallucinate something about amd graphics cards, so I'm entirely unsure how reliable that information might be.

Is anyone aware of any further information concerning that vulnerability? I didn't find any news article or anything. Or can someone explain, how and when the drivers are loaded, so that I might make an educated guess?

Thanks in advance again.

[fabien]

You didn't answer my question, but that's not really a problem.
If systems match one of the supported versions and are up to date, this vulnerability has been fixed.
If systems aren't up to date, they're probably affected by hundreds of other vulnerabilities, so why focus on this one in particular?