A security flaw that affects a wide range of different routers from a number of different manufacturers could allow attackers to remotely execute code that compromises connected devices.
Essentially, NetUSB allows any USB device plugged directly into a router to be available to other devices, so that could be printer, external hard drive, USB storage key, etc. In order for Windows or Mac machines to access the devices plugged into a router, there’s a client-side driver for USB over IP too.
SEC Consult’s investigation found that the routers could be compromised by running a stack buffer overflow attack, simply by specifying the name of a computer as longer than 64 characters. This could then allow attackers to execute arbitrary code or access devices plugged into the router.
“By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow,” the report says.
The researchers also note that while NetUSB was not accessible from the internet on any of the devices it tested, there is an indication that some expose the port (20005) that it uses to the outside world, obviously thereby opening connected devices up to attack.
More than 90 routers from a range of vendors were documented as containing the NetUSB driver. We’ve contacted D-Link, Netgear, TP-Link and TrendNet to see if a patch is due to roll out and when that might happen. We’re yet to receive any responses, however, SEC Consult said that TP-Link has already released some fixes for the vulnerability and will provide a rollout schedule for around 40 different products.
Update: A spokesperson for Netgear has been in touch with the following statement:
Netgear takes customer security seriously and is actively updating the firmware to address any potential security vulnerability. Specific to the recent ReadySHARE vulnerability, the malicious attack can only be launched from within the LAN network and not remotely from the Internet. We encourage our customers to make sure Wi-Fi security is turned on (this is the default setting on our routers & gateways) and to change the default password for the router to prevent unauthorized devices from accessing your network. In addition, we encourage our customers to always upgrade to the latest firmware and as a security precaution, to enable firewall on the operating system and periodically perform virus scan on your devices. We will begin providing firmware updates in Q3 to address this issue, and we will contact our customers when the firmware is available for their product.”