Security Experts:

Router Vendors Working to Patch NetUSB Driver Vulnerability

Router manufacturers whose products have been confirmed to be affected by the recently disclosed NetUSB driver security flaw say they are working on developing firmware updates that address the vulnerability.

SEC Consult revealed last week that millions of routers could be exposed to attacks due to a kernel stack buffer overflow vulnerability (CVE-2015-3036) in the NetUSB driver from KCodes. The driver in question allows users to connect to USB devices plugged into a router or access point over the network.

The vulnerability, caused by insufficient input validation, can be triggered by connecting to the server from a client with a computer name longer than 64 characters. An unauthenticated attacker can exploit the flaw to cause a denial-of-service (DoS) condition or execute arbitrary code. The bug can be exploited by an attacker who has access to the local network, but exploitation over the Internet might also be possible in some cases.

SEC Consult says it has found evidence that a total of 26 vendors use NetUSB. However, so far, the security hole has been confirmed to affect products from TP-Link, TRENDnet, ZyXEL, Netgear, and D-Link.

KCodes has failed to communicate with SEC Consult regarding the availability of a fix. However, the security firm has learned that the Taiwan-based tech company has started shipping patched versions of NetUSB to router vendors.

TP-Link started releasing fixes before SEC Consult disclosed the existence of the flaw. The other router vendors published advisories informing users of their intention to release firmware updates in the upcoming period.

TRENDnet says the vulnerability affects the following models: TEW-811DRU, TEW-812DRU, TEW-813DRU, TEW-818DRU, TEW-823DRU, and TEW-828DRU. The company hopes to release firmware updates for these devices in early June.

According to ZyXEL, the NetUSB vulnerability affects four of its products: Wireless N300 NetUSB Router (NBG-419N v2), Wireless N300 Gigabit NetUSB Router (NBG4615 v2), Simultaneous Dual-Band Wireless N750 Media Router (NBG5615), and Simultaneous Dual-Band Wireless N900 Media Router (NBG5715). ZyXEL expects to release firmware updates for these models in mid-June.

“ZyXEL is aware of the vulnerability to KCodes NetUSB on four of ZyXEL routers and assures our customers that the rest of ZyXEL products are not affected. ZyXEL has identified the root cause and a fix to the problem. We are now in the process of rebuilding the NetUSB modules on the affected routers,” ZyXEL said.

Netgear, which calls the vulnerable feature “ReadySHARE,” says it will start releasing firmware versions that address this issue in July. Until updates are available, the company advises customers to take steps to block unauthorized access to their network.

“By default NETGEAR routers are pre-configured with random SSID and passphrase. It is recommended to change the SSID and passphrase, as well as administrator password to the router setup GUI page. You can also block unauthorized device from the NETGEAR Genie App or desktop application by right-clicking on the unauthorized device in the Network Map,” Netgear said.

In its own advisory, D-Link noted that the company does not currently deploy products using the NetUSB driver from KCodes. “All D-Link routers that deploy Shareport Mobile or mydlink Shareport are not affected,” the company said.

However, there are a dozen D-Link router models that use the vulnerable component. The list includes DIR-628, DIR-632, DIR-655, DIR-685, DIR-825, DIR-855, DGL-4500, DAP-1350, and DHP-1320. Firmware updates for these devices are under development, D-Link said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.