NetUSB Bug Makes Millions of Routers Vulnerable

Carnegie Mellon University CERT uncovered important security flaw in KCode NetUSB. NetUSB is a Linux kernel module of small Taiwanese company KCodes that adds USB over IP feature to router. This product provides USB device sharing option to home networks. This same product is used by leading companies, Netgear and TP-Link.

What is the problem?

When plugged in any USB device becomes available over network via NetUSB server launched on TCP port 20005, the client side resides in provided Windows and OS X  software and user may interact with USB like it was plugged in locally. The problem is that USB server will continue running even when the USB device is unplugged.

Establishing a connection to server is simple as it uses static AES keys found in kernel driver and client software too. In order to initiate a connection client needs to send a computer name, but if an user sends computer name containing more than 64 characters the stack buffer overflow takes place. The fact than server code is run inside a kernel mode, makes the vulnerability a rare one.

In general NetUSB is not accessible from an outside network, however they have been cases were, due to user error or a device specifics TCP 20005 was exposed to internet. This makes a vulnerability even more serious, we urge you to follow recommendations on this vulnerability CVE-2015-3036.

 

Who is Affected?

NetUSB.inf, located in Windows client software, provides list of vendors using NetUSB. At this moment we may assume that following company products may be affected:

 

Allnet
Ambir Technology
AMIT
Asante
Atlantis
Corega
Digitus
D-Link
EDIMAX
Encore Electronics
Engenius
Etop
Hardlink
Hawking
IOGEAR
LevelOne
Longshine
NETGEAR
PCI
PROLiNK
Sitecom
Taifa
TP-LINK
TRENDnet
Western Digital
ZyXEL

Solution

Firmware update

Refer to the Vendor Information section below and contact your vendor for firmware update information.

Affected users may also consider the following workarounds:

Disable device sharing

Consult your device’s vendor and documentation as some devices may allow disabling the USB device sharing service on your network.

Block port 20005

Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.

One Response

  1. angela May 20, 2015

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.