CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Millions of Routers Vulnerable to Attacks Due to NetUSB Bug

A serious vulnerability affecting the NetUSB kernel driver developed by Taiwan-based tech company KCodes exposes millions of routers to hack attacks, researchers have warned.

According to its website, KCodes is one of the leading developers and suppliers of USB over IP solutions. The company says over 20% of world’s networking devices include KCodes technology.

A serious vulnerability affecting the NetUSB kernel driver developed by Taiwan-based tech company KCodes exposes millions of routers to hack attacks, researchers have warned.

According to its website, KCodes is one of the leading developers and suppliers of USB over IP solutions. The company says over 20% of world’s networking devices include KCodes technology.

The NetUSB (USB over IP) kernel driver developed by the company is designed to allow users to connect over their network to USB devices plugged into a router, access point, or other Linux-based embedded system. Users can access speakers, printers, hard drives, webcams and other USB devices by connecting to a NetUSB server via the Windows or OS X client.

KCodec NetUSB

Researchers at SEC Consult discovered that the NetUSB driver is plagued by a kernel stack buffer overflow vulnerability (CVE-2015-3036) that can be exploited by an unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition. The flaw, caused by insufficient input validation, can be triggered by specifying a computer name that is longer than 64 characters when the client connects to the server.

KCodes’ NetUSB driver is integrated into products from several vendors, including Netgear, TP-Link, ZyXEL, and TRENDnet. The feature is advertised with various names, such as “print sharing,” “USB share port” and “ReadySHARE.”

SEC Consult has confirmed that the vulnerability affects the latest firmware versions for TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2, and Netgear WNDR4500. Researchers also identified the NetUSB feature in tens of router models from D-Link, Netgear, TP-Link, TRENDnet, and ZyXEL.

Furthermore, a component of the driver makes references to a total of 26 vendors that have likely licensed the NetUSB technology. The list includes Allnet, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, EDIMAX, Encore Electronics, Engenius, Etop, Hardlink, Hawking, IOGEAR, LevelOne, Longshine, PCI, PROLiNK, Sitecom, Taifa, and Western Digital.

The vulnerability can be exploited by an attacker on the local network, but in some cases exploitation over the Internet might also be possible through TCP port 20005, the port used by the server for client connections.

Advertisement. Scroll to continue reading.

“While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability,” SEC Consult wrote in a blog post.

SEC Consult informed KCodes of the existence of the vulnerability in February, but so far the vendor has failed to properly communicate the status of a patch.

The security firm told SecurityWeek that it hasn’t heard from KCodes since March 25, but it has learned that Netgear and TP-Link received patches for their firmware from the developer. Vendors can’t address the bug without the patch from KCodes, SEC Consult noted.

“To this day, only TP-LINK released fixes for the vulnerability and provided a release schedule for about 40 products. Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR devices this does not mitigate the vulnerability. NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices,” SEC Consult said.

KCodes has not responded to SecurityWeek’s request for comment by the time of publication. 

CERT/CC, which released an advisory for the vulnerability on Tuesday, has reached out to other potentially impacted vendors to determine if their products are affected. Other CERTs are also involved in vendor coordination.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.