A Serious Vulnerability Affecting the 'NetUSB' Kernel Driver Developed by Taiwan-Based Technology Company, KCodes, Exposes millions of routers to hack attacks, researchers have warned.
According to its website, KCodes, is One of the Leading Developers and Suppliers of USB over IP Solutions. The Company Says, over 20% of the World’s Networking Devices include, KCodes Technology.
The 'NetUSB' (USB over IP) Kernel Driver Developed by the Company, is Designed to Allow Users to Connect over their Network to USB Devices Plugged into a Router, Access Point, or Other Linux-Based Embedded System. Users Can Access Speakers, Printers, Hard Drives, Webcams and Other USB Devices, by Connecting to a 'NetUSB' Server via the Windows or OS X Client. Researchers at SEC Consult Discovered that, the 'NetUSB' Driver is Plagued by a Kernel Stack Buffer Overflow Vulnerability (CVE-2015-3036) that, Can be Exploited by an Unauthenticated Attacker, to Execute Arbitrary Code or Cause a Denial-of-Service (DDoS) Condition. The Flaw, Caused by Insufficient Input Validation, Can be Triggered by Specifying a Computer Name that, is Longer than 64 Characters When the Client Connects to the Server.
KCodes’ 'NetUSB' Driver is Integrated into Products from Several Vendors, including Netgear, TP-Link, ZyXEL and TRENDnet.
The Feature is Advertised with Various Names, such as
“Print Sharing”,
“USB Share Port” and
“ReadySHARE”. SEC Consult has Confirmed that, the Vulnerability Affects the Latest Firmware Versions for TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500. Researchers also Identified the 'NetUSB' Feature in 10s of Router Models from D-Link, Netgear, TP-Link, TRENDnet and ZyXEL.
Furthermore, a Component of the Driver, Makes References to a Total of 26 Vendors that Have likely Licensed the 'NetUSB' Technology. The List includes Allnet, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, EDIMAX, Encore Electronics, Engenius, Etop, Hardlink, Hawking, IOGEAR, LevelOne, Longshine, PCI, PROLiNK, Sitecom, Taifa and Western Digital.
The Vulnerability Can be Exploited by an Attacker on the Local Network but, in Some Cases, Exploitation over the Internet might also be Possible through TCP Port 20005, the Port Used by the Server for Client Connections.
“While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability”,
SEC Consult Wrote in a Blog Post.
SEC Consult Informed KCodes, of the Existence of the Vulnerability in February but so Far, the Vendor has Failed to Properly Communicate the Status of a Patch.
The Security Firm Told SecurityWeek that, it Hasn’t Heard from KCodes since March 25 but, it has Learned that, Netgear and TP-Link Received Patches for their Firmware from the Developer. Vendors Can’t Address the Bug without the Patch from KCodes, SEC Consult Noted.
“To this day, only TP-LINK released fixes for the vulnerability and provided a release schedule for about 40 products. Sometimes NetUSB can be disabled via the web interface but, at least, on NETGEAR devices, this does not mitigate the vulnerability. NETGEAR told us, that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices”,
SEC Consult Said.
KCodes Hasn't Responded to SecurityWeek's Request for Comment by the Time of Publication.
CERT/CC, which Released an Advisory for the Vulnerability on Tuesday, has Reached Out to Other Potentially Impacted Vendors to Determine if their Products are Affected. Other CERTs are also Involved in Vendor Coordination.
Info Sources:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
http://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.html
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=177092&SearchOrder=4