NetUSB Driver Flaw Exposes Millions of Routers to Hacking


hacking-router

A simple but shockingly dangerous vulnerability has been uncovered in the NetUSB component, putting Millions of modern routers and other embedded devices across the globe at risk of being compromised by hackers.

The security vulnerability, assigned CVE-2015-3036, is a remotely exploitable kernel stack buffer overflow flaw resides in Taiwan-based KCodes NetUSB.

NetUSB is a Linux kernel module that allows for users to flash drives, plug printers and other USB-connected devices into their routers so that they can be accessed over the local network.

NetUSB component is integrated into modern routers sold by some major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet.

The security flaw, reported by Stefan Viehbock of Austria-based SEC Consult Vulnerability Lab, can be triggered when a client sends the computer name to the server deployed on the networking device (TCP port 20005) in order to establish a connection.

However, if a connecting computer has a name longer than 64 characters, a stack buffer overflow occurs in the NetUSB service, resulting in memory corruption.

“Because of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” a Tuesday advisory states. “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].”

How does the flaw works?

SEC Consult carried out its analysis of the NetUSB driver on a TP-Link device. In order to establish a server connection, authentication is required, based on an AES encryption key.

However, security researchers say that the authentication is found to be useless because the AES key is present both in the kernel driver as well as in the client software for Windows and OS X.

“All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow,” the researchers state in a blog post on Tuesday.

What’s even worse?

As NetUSB service code runs in kernel mode, hackers within the local network can easily exploit this vulnerability to gain ability to remotely execute malicious code at the kernel level, which is the heart of the routers’ computing functions.

This simply means an attacker could affect the devices with the highest possible privilege. Hackers could run an attack to either crash the device running the kernel module or compromise a router to install malware and spyware on its owners.

Affected Vendors:

Based on data embedded in KCodes NetUSB driver, security researchers at SEC Consult believe the following are among manufacturers that are affected by the kernel stack buffer overflow vulnerability:

ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL

Vendors Response:

SEC Consult contacted KCodes a number of times in February and March with details on the vulnerability and proof of concept code, but a patch wasn’t made available.

The security firm later contacted TP-Link and NetGear, as well as CERTs before making a public disclosure of the vulnerability.

Until now, only TP-Link addressed the vulnerability and provided a fix for the serious NetUSB vulnerability and scheduled patches for about 40 products. NetGear has yet to release a patch.

However, other vendors have yet to respond to the security issue.

How to mitigate the issue:

According to SEC Consult, the NetUSB feature was enabled on all devices checked, and the service was still running even when no USB devices were connected.

This simply means the feature is likely turned ON unless a user switches it OFF manually.

On some devices, it is possible for users to turn off the feature from the Web-based administration interface, and block access to port 20005 using a firewall. However, on some devices, this is not possible.

“At least on NETGEAR devices this does not mitigate the vulnerability,” states the blog post. “NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices.”

You should keep an eye out for patches too and update your devices as soon as patches are made available in order to prevent any possibility of NetUSB exploits.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s