Carnegie Mellon University CERT uncovered important security flaw in KCode NetUSB. NetUSB is a Linux kernel module of small Taiwanese company KCodes that adds USB over IP feature to router. This product provides USB device sharing option to home networks. This same product is used by leading companies, Netgear and TP-Link.
What is the problem?
When plugged in any USB device becomes available over network via NetUSB server launched on TCP port 20005, the client side resides in provided Windows and OS X software and user may interact with USB like it was plugged in locally. The problem is that USB server will continue running even when the USB device is unplugged.
Establishing a connection to server is simple as it uses static AES keys found in kernel driver and client software too. In order to initiate a connection client needs to send a computer name, but if an user sends computer name containing more than 64 characters the stack buffer overflow takes place. The fact than server code is run inside a kernel mode, makes the vulnerability a rare one.
In general NetUSB is not accessible from an outside network, however they have been cases were, due to user error or a device specifics TCP 20005 was exposed to internet. This makes a vulnerability even more serious, we urge you to follow recommendations on this vulnerability CVE-2015-3036.
Who is Affected?
NetUSB.inf, located in Windows client software, provides list of vendors using NetUSB. At this moment we may assume that following company products may be affected:
Refer to the Vendor Information section below and contact your vendor for firmware update information.
Affected users may also consider the following workarounds:
Disable device sharing
Consult your device’s vendor and documentation as some devices may allow disabling the USB device sharing service on your network.
Block port 20005
Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.
One thought on “NetUSB Bug Makes Millions of Routers Vulnerable”
In our company we use GFI EndPointSecurity, here is the if you care: lnk http://www.gfi.com/esec