Critical vulnerability in NetUSB driver exposes millions of routers to hacking

19.05.2015
Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them.

The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more.

NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients.

Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service.

Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege, the Sec Consult researchers said in a blog post Tuesday.

Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port.

Sec Consult has confirmed the vulnerability in the TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500 routers. However, after scanning firmware images from different manufacturers for the presence of the NetUSB.ko driver, they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable.

The researchers also found references to 26 vendors in the NetUSB.inf client driver for Windows, so they believe many other vendors might also have vulnerable products. They've alerted the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify the vendors.

On some devices it's possible for users to disable the feature from the Web-based administration interface or to block access to the port using the firewall feature. However, on some devices, like those made by Netgear, this is not possible, the researchers said.

Many devices likely expose the NetUSB service to the local area network only, but there might be implementations that expose it to the Internet as well. Even when restricted to the local network only, the vulnerability still poses a high risk, because attackers can potentially exploit it if they compromise any computer from the local network or if they gain access to the network in some other way -- for example, due to weak or no wireless password.

As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products.

TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment.

This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years.

"It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level," said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year.

The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. "For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle]."

Lucian Constantin