The security expert Stefan Viehbock from SEC Consult Vulnerability Lab has reported a critical vulnerability (CVE-2015-3036) that potentially affects millions of routers and Internet of Things devices using the KCodes NetUSB component. An attacker could exploit the flaw in the NetUSB to remote hijacking the devices or to cause a denial of service attack.
Unfortunately, the impact of flaw is large because the NetUSB component is integrated into modern routers provided by major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet.
The vulnerability is a remotely exploitable kernel stack buffer overflow and resides in the KCodes NetUSB, which is a Linux kernel module which allows USB devices plugged into routers (i.e. Printers and external hard drives) the connection to the network over TCP port 20005 .
Vienbock explained that it is quite easy to trigger the vulnerability by using a connecting computer name longer than 64 characters, which causes a stack buffer overflow in the NetUSB service, resulting in memory corruption.
“By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket,” Vienbock says. “Because of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].“
As highlighted by the expert, IT industry is front of a ‘rare’ remote kernel stack buffer overflow:
“Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow.”
TP-Link has already issued patches for 40 of its devices, the same for the company Netgear and Trendnet, but other vendors including D-Link are potentially exposed to attacks. Below the complete list of affected devices found by the researcher:
“ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL “
“To get an idea how many products are affected, we downloaded a bunch of firmware images from D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL (actually, we downloaded all of them). Then we checked if those firmware images contain the NetUSB kernel driver (NetUSB.ko). We found 92 products out of the analysed firmware images that contain the NetUSB code. A list of affected products can be found in our advisory. We did not check the firmware of the remaining 21 vendors. Many affected products are high-end devices and were released very recently (yes, even the ones that look like spaceships!).
Viehbock has reported the flaw to the US-CERT, and other emergency response teams from Germany and Austria.
Be aware the NetUSB feature was enabled on all devices analyzed by the expert and it is important to note that the service is still running even when no USB devices are connected.
A possible mitigation action for the vulnerability discovered by Viehbock consists in disabling NetUSB from the admin console of the device, a solution that works only on specific devices. Experts suggest to block access to port 20005 using a firewall.
(Security Affairs – NetUSB, hacking)