A critical flaw in NetUSB has been uncovered by security researchers, identifying a NetUSB driver vulnerability that exposes routers to a critical security flaw allowing hackers to potentially compromise the router and abuse it to perform Denial of Service (DoS) Attacks and hijack the router entirely.
Researches at Sec Consult disclosed that if a computer connected to the network has a visible name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB driver. Hackers could then proceed to hijack the router and abuse it to perform automated attacks or possibly even spy on the network.
KCodes NetUSB is a Linux kernel module that allows users to plug flash drives, printers and other USB-capable devices into their router, allowing for the content be accessible throughout the local network.
Vendors that integrated NetUSB include popular routers models from D-Link, Netgear, TP-Link, TrendNet and ZyXEL.
Sec Consult researcher, Stefan Vienbock disclosed the NetUSB flaw (CVE-2015-3036). The vulnerability lab identified it can be triggered when the client sends the computer name to the server on the network, connecting to the network, on TCP port 20005 when establishing the connection.
“Because of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” Sec Consults Viehbock wrote. “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].”
Researchers performed their vulnerability testing on a TP-Link router. When connecting to the router, a password was required to gain authentication, based on the AES encryption key.
Though, researchers found the AES key to be less than useful because the AES key is already present in both the kernel driver and the client software for Windows and OS X devices.
“All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow,” Sec Consult said in a blog post.
Based on Sec Consult’s researcher, KCodes NetUSB driver is believed to be present in the following manufacturers, meaning they are vulnerable to the kernel stack overflow flaw. ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL.
SEC Consult reached out to KCodes various times throughout the past four months, handing over details on the vulnerability with proof-of-concept code, but was not met with a patch release or any date regarding one.
As of the time being, TP-Link is the only company to have addresses the gaping vulnerability, providing a full fix for the NetUSB flaw that affected over 40 of their routers. The listed vendors above have yet to release a patch for affected devices.
In better news, researchers found the NetUSB feature was enabled by default on all affected devices, and the service was active even if no USB devices were connected.
Meaning, to easily mitigate this issue yourself, disable the NetUSB feature and voila, you are no longer vulnerable, unless of course it becomes active again.
On a number of devices you can log in to the routers administration panel and block access to port 20005 using a firewall or other means. Though, this is not possibly on all devices.
“At least on NETGEAR devices this does not mitigate the vulnerability. NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices.”
If your router or vendor is affected by the NetUSB vulnerability, be on the lookout for updates patching this critical flaw.