CVE-2020-11668 Overview
CVE-2020-11668 is a NULL pointer dereference vulnerability [CWE-476] in the Linux kernel's Xirlink camera USB driver (drivers/media/usb/gspca/xirlink_cit.c). The driver mishandles invalid USB descriptors, allowing a local attacker with the ability to attach a crafted USB device to trigger a kernel-level fault. Linus Torvalds patched the issue under commit a246b4d54770, and the fix shipped in Linux kernel 5.6.1.
The flaw affects integrity and availability of the host system but does not expose confidential data directly. Multiple downstream distributions, including Debian and Ubuntu, issued security updates between April and June 2020.
Critical Impact
A local attacker supplying a malicious USB camera descriptor can crash the kernel or potentially escalate impact through memory corruption, leading to denial of service on affected Linux systems.
Affected Products
- Linux Kernel versions prior to 5.6.1
- Debian GNU/Linux (addressed in DSA-4698 and LTS announcements)
- Ubuntu Linux (addressed in USN-4345-1, USN-4364-1, USN-4368-1, USN-4369-1)
Discovery Timeline
- 2020-04-09 - CVE-2020-11668 published to NVD
- 2020-04-30 - NetApp Security Advisory ntap-20200430-0004 released
- 2020-06-11 - Debian LTS announcements published
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11668
Vulnerability Analysis
The Xirlink camera USB driver parses descriptors received from connected USB devices during initialization. The driver assumes that alternate settings contain at least one endpoint and accesses alt->endpoint[0] without validating the bNumEndpoints field. When a USB device advertises an alternate setting with zero endpoints, the kernel dereferences an out-of-bounds or NULL endpoint pointer, triggering a fault in kernel context.
The vulnerability falls under [CWE-476] (NULL Pointer Dereference). Exploitation requires local access to attach a malicious or crafted USB device to the target system.
Root Cause
The root cause is missing input validation on USB descriptor data. The original code in xirlink_cit.c does not check alt->desc.bNumEndpoints before reading alt->endpoint[0].desc.wMaxPacketSize. Attacker-controlled descriptor values bypass the implicit assumption that every alternate setting includes endpoints.
Attack Vector
An attacker with physical or virtual USB access supplies a crafted device descriptor advertising an alternate setting with zero endpoints. When the kernel binds the Xirlink camera driver to the device, the driver dereferences invalid memory, causing a kernel oops or panic. The attack vector is local with low privileges required.
// Patch from drivers/media/usb/gspca/xirlink_cit.c
// Source: https://github.com/torvalds/linux/commit/a246b4d547708f33ff4d4b9a7a5dbac741dc89d8
return -EIO;
}
+ if (alt->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
}
The patch adds an explicit sanity check rejecting descriptors that declare fewer than one endpoint, returning -ENODEV before the unsafe access.
Detection Methods for CVE-2020-11668
Indicators of Compromise
- Unexpected kernel oops or panic entries in dmesg referencing xirlink_cit or gspca modules
- USB device enumeration events followed by kernel module faults
- System crashes or reboots correlated with USB device insertion
Detection Strategies
- Query installed kernel versions across the fleet and flag hosts running kernels older than 5.6.1 without distribution backports applied
- Audit /var/log/kern.log and journalctl -k output for stack traces involving cit_get_packet_size or related Xirlink camera routines
- Monitor USB device connection events on servers and workstations using udev logging or auditd rules targeting USB subsystem activity
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture forensic data on kernel faults
- Track USB device insertion events on production and sensitive endpoints, alerting on unexpected camera-class devices
- Centralize kernel logs and dmesg output into a SIEM for correlation across hosts
How to Mitigate CVE-2020-11668
Immediate Actions Required
- Upgrade the Linux kernel to version 5.6.1 or later, or apply the distribution-specific patched package
- Apply Ubuntu USN-4345-1, USN-4364-1, USN-4368-1, or USN-4369-1 on affected Ubuntu releases
- Apply Debian DSA-4698 or the corresponding LTS update on affected Debian systems
- Restrict physical access to systems where untrusted USB devices could be attached
Patch Information
The upstream fix is commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8, included in Linux kernel 5.6.1. Refer to the Linux Kernel ChangeLog 5.6.1 and the upstream commit. Vendor advisories are available from Debian, Ubuntu, and NetApp.
Workarounds
- Blacklist the gspca_xirlink_cit module on systems that do not require Xirlink USB camera support by adding blacklist gspca_xirlink_cit to /etc/modprobe.d/blacklist.conf
- Disable USB ports on systems handling sensitive workloads where USB devices are not required
- Enforce USB device authorization policies using kernel-level USB controls such as usbguard
# Blacklist the vulnerable driver until patching is complete
echo "blacklist gspca_xirlink_cit" | sudo tee /etc/modprobe.d/disable-xirlink-cit.conf
sudo update-initramfs -u
sudo modprobe -r gspca_xirlink_cit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
