Another Wifi Router vulnerability.... NetUSB

[Chicog]

20 May 2015 at 07:33, Darren Pauli

SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks.

The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which serves to provide network access over TCP port 20005 to USB devices plugged into routers such as printers and external hard drives.

Viehböck says the vulnerability triggered by specifying a ridiculously long machine name belongs in the 1990s.

"By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket," Viehböck says.

"Easy as a pie, the ‘90s are calling and want their vulns back.

"All the server code runs in kernel mode, so this is a 'rare' remote kernel stack buffer overflow."

TP-Link has issued patches for 40 of its products. About the same number of Netgear wares are also affected along with 14 Trendnet items. Some 24 other vendors including D-Link and Western Digital are potentially affected, according to Vienbock's advisory.

The hacker notified computer emergency response teams in the US, Germany, and Austria after communications allegedly broke down with NetUSB creator KCodes.

Concerned users not prepared to suffocate while holding breath for router patches may be able to disable NetUSB through web interfaces.

This may not work on all devices including Netgear offerings which remain open even when firewalled, Viehböck says. ®

http://www.theregister.co.uk/2015/05/20/netusb_router_fail/

The vulnerability was identified by researchers with SEC Consult, who initially discovered the issue in on a TP-LINK device and later verified that the bug exists in the most recent firmware versions of TP-LINK TL-WDR4300 V1, TP-LINK TL-WR1043ND V2, and NETGEAR WNDR4500.

SEC Consult went on to identify NetUSB in the most recent firmware versions of several other products, including D-Link DIR-615 C, as well as several other NETGEAR, TP-Link, TRENDnet, and ZyXEL devices.

Altogether, based on data embedded in KCodes drivers, researchers believe the following are among vendors that are affected: ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL.

According to the advisory, SEC Consult contacted KCodes numerous times throughout February and into March, but a fix was not made available. SEC Consult later contacted TP-LINK and NETGEAR, as well as CERT Coordination Center (CERT/CC) and other CERTs, before making a public disclosure.

“To this day, only TP-LINK released fixes for the vulnerability and provided a release schedule for about 40 products,” the blog post said. “Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR devices this does not mitigate the vulnerability. NETGEAR told us, that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices.”

According to a CERT/CC advisory, blocking port 20005 on the local network could help mitigate the issue by preventing access to the service.

http://www.scmagazine.com/millions-of-devices-may-be-vulnerable-to-netusb-vulnerability/article/415589/

Added: On NetGear it's called Ready Share. I'll have a look into it when I get home as I run a couple of these.

Edited May 21, 2015 by Chicog