NetUSB Vulnerability Means Trouble for Linux-based Home Routers

NetUSB Vulnerability Means Trouble For Linux-Based Home Routers: What To Do Now

Just a day after the disclosure of the Logjam SSL exploit, yet another serious open source vulnerability has surfaced. Dubbed “NetUSB” for the driver in which it resides, this vulnerability affects Linux-based networking equipment, home routers in particular, that support “USB over IP” – remote mounting USB flash drives and support for other USB peripherals, such as printers and keyboards, over a local network.

Given the ubiquitousness of SOHO routers, this vulnerability most likely impacts tens of millions of devices in homes, small offices, and other locales. It is doubly concerning because these settings (as opposed to enterprise IT) typically lack security oversight, with many device owners lacking sufficient expertise to remedy NetUSB and other similar vulnerabilities, even through vendor-supplied updates.

The vulnerability arises from that most familiar of sources – a potential buffer overflow in the 64-byte string that conveys the name of the client computer (running Windows and/or MacOS) to the driver. By cramming more than 64 bytes of data into that buffer, black hats can crash the router (for denial of service) and in some cases, cause malicious code to run on the router itself (remote code execution).

The most distressing attribute of NetUSB is that the vulnerability resides in a Linux kernel driver, which, in theory, is among some of the most visible and best-curated code in all of open source. The code originates with Taiwanese vendor KCodes and has found its way into hardware from D-Link, Netgear, TP-Link, Trendnet ZyXE and likely dozens of others, affecting over 90 router products. (See the full list in advisory here.)

Even relatively savvy device owners might think that disabling the feature (which bears various names across different vendors) solves the problem, but they should think again. The code behind the vulnerability typically remains active even when router controls claim to disable it and also when no USB devices are actually plugged into the router.

NetUSB is especially challenging in the light of the fact that many – even most – embedded systems provide no means to update system images once they are deployed. Also, most device owners fail to perform updates even once during the devices’ fielded lifetimes. As such, NetUSB is likely to remain in the wild for some time to come. (I took care of my home routers this morning!)

Luckily for device manufacturers moving forward, NetUSB is easily identifiable using Open Source Hygiene – cross referencing components in software stacks with advisories from key vulnerability databases. For the moment, check your router model on the link provided and also on your manufacturer website. If it's affected, update as soon as new firmware images become available. In the meantime, keep your firewall active and correctly configured. In particular, don't open TCP port 20005, where the affected code "listens" for connections.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


New Vuln in Xen Hypervisors Require Hypervigilance

| Nov 4, 2015

Developers of the Xen Hypervisor recently revealed that a new critical vulnerability had surfaced in this key piece of system software. The first, Venom (CVE-2015-3456) became known in May 2015. Another, CVE-2015-5154 cropped up in July. And now, a new high profile vulnerability, CVE-2015-7835,

| MORE >

You Want Secure Containers? Start With Secure Container Contents

| Oct 22, 2015

Containerization is hot. This form of lightweight virtualization lets more applications run on a single server or cloud instance, and lets IT organizations create and deploy those applications faster and more reliably. Enterprise containerization meets several enterprise IT goals simultaneously:

| MORE >

The Essentials of Open Source Strategy and Governance

| Sep 29, 2015

Much has been written regarding open source development models and community dynamics. Yet, equally important are the different types of open source business strategies, best practices, and processes that govern the use of code from open source projects and contributions to those projects

| MORE >