Just a day after the disclosure of the Logjam SSL exploit, yet another serious open source vulnerability has surfaced. Dubbed “NetUSB” for the driver in which it resides, this vulnerability affects Linux-based networking equipment, home routers in particular, that support “USB over IP” – remote mounting USB flash drives and support for other USB peripherals, such as printers and keyboards, over a local network.
Given the ubiquitousness of SOHO routers, this vulnerability most likely impacts tens of millions of devices in homes, small offices, and other locales. It is doubly concerning because these settings (as opposed to enterprise IT) typically lack security oversight, with many device owners lacking sufficient expertise to remedy NetUSB and other similar vulnerabilities, even through vendor-supplied updates.
The vulnerability arises from that most familiar of sources – a potential buffer overflow in the 64-byte string that conveys the name of the client computer (running Windows and/or MacOS) to the driver. By cramming more than 64 bytes of data into that buffer, black hats can crash the router (for denial of service) and in some cases, cause malicious code to run on the router itself (remote code execution).
The most distressing attribute of NetUSB is that the vulnerability resides in a Linux kernel driver, which, in theory, is among some of the most visible and best-curated code in all of open source. The code originates with Taiwanese vendor KCodes and has found its way into hardware from D-Link, Netgear, TP-Link, Trendnet ZyXE and likely dozens of others, affecting over 90 router products. (See the full list in advisory here.)
Even relatively savvy device owners might think that disabling the feature (which bears various names across different vendors) solves the problem, but they should think again. The code behind the vulnerability typically remains active even when router controls claim to disable it and also when no USB devices are actually plugged into the router.
NetUSB is especially challenging in the light of the fact that many – even most – embedded systems provide no means to update system images once they are deployed. Also, most device owners fail to perform updates even once during the devices’ fielded lifetimes. As such, NetUSB is likely to remain in the wild for some time to come. (I took care of my home routers this morning!)
Luckily for device manufacturers moving forward, NetUSB is easily identifiable using Open Source Hygiene – cross referencing components in software stacks with advisories from key vulnerability databases. For the moment, check your router model on the link provided and also on your manufacturer website. If it's affected, update as soon as new firmware images become available. In the meantime, keep your firewall active and correctly configured. In particular, don't open TCP port 20005, where the affected code "listens" for connections.