NetUSB Flaw Affects Router Makers'Millions' of Devices May Be at Risk, Researchers Warn
Many router manufacturers use a third-party software component in their products called NetUSB, which can be exploited to bypass authentication checks and remotely take control of the devices, warns information security researcher Stefan ViehbÃ¶ck at SEC Consult.
The research firm has verified the flaw in firmware used by 92 products manufactured by D-Link, Netgear, TP-Link, Trendnet and ZyXEL, ViehbÃ¶ck says. The firmware flaw is likely also present in multiple products manufactured by 21 other vendors that use NetUSB, he adds. That count is based on the "NetUSB.inf" file, which is part of the client-driver setup for Windows, and which contains a list of 26 vendors. Accordingly, "it is likely that these vendors have licensed the NetUSB technology and are using it in some of their products," SEC Consult says, suggesting that "millions of devices" are now at risk.
U.S. CERT has issued a related alert, saying that "NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution." The SEC Consult researchers did not report seeing any related attacks against NetUSB-using devices. But their security alert follows the recent warning that attackers had compromised 40,000 routers that used default credentials, and turned them into distributed denial-of-service attack platforms.
NetUSB is developed by Kcodes, based in Taiwan, which bills itself as "the world's premier technology provider of mobile printing, audio and video communication, file sharing, and USB applications for iPhones, iPads, smart phones and tablets (Android and Windows), MacBooks, and Ultrabooks." Kcodes did not immediately respond to a request for comment on the firmware vulnerability.
NetUSB is designed to provide "USB over IP" functionality. "USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated "USB over IP" box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005)," SEC Consult says in a blog post. "The client side is implemented in software that is available for Windows and OS X. It connects to the server and simulates the devices that are plugged into the embedded system locally. The user experience is like that of a USB device physically plugged into a client system."
But SEC Consult warns that when installed, NetUSB always appears to be active by default. "The NetUSB feature was enabled on all devices that we checked, and the server was still running even when no USB devices were plugged in," it says.
NetUSB: Some Mitigations
U.S. CERT says the NetUSB flaw can be mitigated by installing firmware updates - if available - and that blocking port 20005, which is used by NetUSB, may also mitigate the flaw. It adds that attacks may also be potentially mitigated by disabling device-sharing features. "Consult your device's vendor and documentation as some devices may allow disabling the USB device sharing service on your network."
SEC Consult, however, cautions in a related security advisory that deactivating NetUSB in a Web interface does not always disable it. "Sometimes NetUSB can be disabled via the Web interface, but at least on Netgear devices this does not mitigate the vulnerability," it says. "Netgear told us that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices."
That security alert contains proof-of-concept attack code and a list of devices that it has confirmed are vulnerable to the flaw. To date, SEC Consult says that of affected vendors, only TP-LINK has released some related firmware updates, as well as outlined an update schedule for about 40 of its products.
Safety Alert: Internet of Things
The discovery that a single third-party component with an easily exploitable flaw has apparently been employed by many router manufacturers points to the challenge of attempting to keep so-called "Internet of Things" devices secure, says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. "One of the biggest issues we're going to face with the explosion of IoT or IP-enabled devices is the lack of foundational secure coding best practices that are followed," he says. "Unfortunately, when cost is such a driver for manufacturers of these technologies, poor code is often reused and when found by researchers, they are often faced with an apathetic response from the vendors."
Indeed, SEC Consult says that on February 28, it first approached Kcodes to warn it about the flaw, and later provided proof-of-concept exploit code. But after communication problems and Kcodes missing meetings, SEC Consult says that on March 26, it approached U.S. CERT and requested that it coordinate efforts with the vendor, as well as Netgear and TP-Link. Then a coordinated vulnerability announcement was released on May 19.
Kcodes did not immediately respond to a request for comment about SEC Consult's timeline.
Even with related fixes now beginning to appear, however, Millard says it's likely that most consumers will never hear about the NetUSB vulnerability or patch related devices. But he says the overall situation is even more troubling for corporate environments. "The burden on admins to find all these devices and reduce the risk of it being utilized by attackers is an almost impossible job, and the task will only get harder as the market pushes for cheaper, more connected devices," he says. "Unless we address the foundational issue of good coding practices in embedded systems, we'll continue to see simple bugs like weak authentication, default passwords, buffer overflows and directory traversal attacks being reintroduced into our environments."