A simple vulnerability has been uncovered in the NetUSB component, millions of modern routers and other IoT devices are exposed to the risk of cyber attacks
The security expert Stefan Viehbock from SEC Consult Vulnerability Lab has reported a critical vulnerability (CVE-2015-3036) that potentially affects millions of routers and Internet of Things devices using the KCodes NetUSB component. An attacker could exploit the flaw in the NetUSB to remote hijacking the devices or to cause a denial of service attack.
Unfortunately, the impact of flaw is large because the NetUSB component is integrated into modern routers provided by major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet.
The vulnerability is a remotely exploitable kernel stack buffer overflow and resides in the KCodes NetUSB, which is a Linux kernel module which allows USB devices plugged into routers (i.e. Printers and external hard drives) the connection to the network over TCP port 20005 .
Vienbock explained that it is quite easy to trigger the vulnerability by using a connecting computer name longer than 64 characters, which causes a stack buffer overflow in the NetUSB service, resulting in memory corruption.
“By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket,” Vienbock says. “Because of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].”
As highlighted by the expert, IT industry is front of a ‘rare’ remote kernel stack buffer overflow:
“Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow.”
TP-Link has already issued patches for 40 of its devices, the same for the company Netgear and Trendnet, but other vendors including D-Link are potentially exposed to attacks. Below the complete list of affected devices found by the researcher:
“ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL ““To get an idea how many products are affected, we downloaded a bunch of firmware images from D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL (actually, we downloaded all of them). Then we checked if those firmware images contain the NetUSB kernel driver (NetUSB.ko). We found 92 products out of the analysed firmware images that contain the NetUSB code. A list of affected products can be found in our advisory. We did not check the firmware of the remaining 21 vendors. Many affected products are high-end devices and were released very recently (yes, even the ones that look like spaceships!).
Viehbock has reported the flaw to the US-CERT, and other emergency response teams from Germany and Austria.
Be aware the NetUSB feature was enabled on all devices analyzed by the expert and it is important to note that the service is still running even when no USB devices are connected.
A possible mitigation action for the vulnerability discovered by Viehbock consists in disabling NetUSB from the admin console of the device, a solution that works only on specific devices. Experts suggest to block access to port 20005 using a firewall.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.