Slashdot Mirror
Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking
itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.
Stop using C style (zero terminated) strings. This is beyond lame.
This is some crappy proprietary firmware library for very low cost network devices. As TFA mentions, we can expect a lot more of these vulnerabilities in the "IoT".
The advisory focuses on hardware brands - doesn't mention anything about aftermarket software. Anyone know?
If by "millions" you mean "one or two with computer names longer than 64 characters." At least for external threats. For internal threats on public WiFi, the networks should always be presumed to be insecure. For private networks, you already control the devices that connect because you have a secure passphrase, right? Right?
https://www.eff.org/https-everywhere
Quit thinking performance is the number 1 criteria in every program.
It actually does not. You can even get faster performance with garbage collection.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
I only know what an IoT hub is. Thanks
Really? That was your best comeback to a really bad security flaw?
Not surprised at all for trusting any services management with anything other than Systemd
Another day another MASSIVE security problem caused by open source. I cannot wait for this shitty movement towards crappy software written by crappy programmers to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why open source should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.
The vulnerable module appears to be proprietary, not open source, so dd-wrt and other open source firmware wouldn't include it.
If you have a router or similar device with a USB port which can be used to share USB printers and webcams, it's vulnerable. Sharing of USB STORAGE is done differently.
The buggy software is not open source. It is proprietary. I'll FTFY, updating your post to reflect that it's proprietary software:
Another day another MASSIVE security problem caused by proprietary software. I cannot wait for this shitty industry of crappy software written by crappy programmers hired by managers focused purely on profit to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why proprietary software should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.
Seriously. NetUSB? On a router? WHY the devil would I want that?
But lemme guess: It was cheap to add, it was a feature that we can tack onto the "look, shiny!" list of things the router can do and people simply count down the "features" of a router whether they need them or even know what the fuck they are.
Meanwhile, it becomes near impossible to buy a router that is JUST THAT. A router. And in case you're wondering "hey, why would you want that when you can have $feature on top of it for FREE?", look no further than this exploit. Without the useless gadget that netUSB is, this exploit would not exist!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You are a moron.
This isn't a problem caused by open source, it's a problem caused by some crappy programmer who didn't validate his inputs. It would make no difference if he were writing open source or proprietary software, he would still be a crappy programmer and the code would still be bug-ridden.
If anything, such faults which are caused entirely by programmer incompetence are more easily detected in open source code, although there is no guarantee of that of course. In proprietary code, not only is peer inspection limited or non-existent, but there is no possibility of directly fixing the fault if it's ever detected.
A fix is already available.
They should be using OpenBSD in routers anyway.
Slashdot: Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking
TFA: Tiny list of routers affected.
Still glad I'm using my pfsense router.
I have no doubt that there are plenty of devices that suffer from this vulnerability and will never see a firmware update because they'd rather you "buy some shiny new hardware that will not have this vulnerability". Well, guess what? I bought my last 2 routers for that reason, and I shouldn't have to buy a new one every 2 years because the manufacturer went cheap-and-dirty.
You should also state (based on their response to this vulnerability), the institute will nullify their degree if they are found to be purchasing Netgear products.
It happens I could use remote USB port functionality.
(Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)
So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It actually does not. You can even get faster performance with garbage collection.
Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware.
Fail.
Actually: Stop having people program C that do not know how to program securely in C. 0-terminated strings are fine in some contexts and not in others. The problem is people that cannot tell which is which.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Slashdot: Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking
TFA: Tiny list of router models affected.
FTFY
Every end has half a stick.
secure login cards between computers. That would make life easier!
It actually does not. You can even get faster performance with garbage collection.
Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware .
Since when does Android run on iOS devices? It doesn't?
. . . . .
Then it's not the same hardware.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
This has nothing significant to do with zero terminated strings, it's about trusting untrustable input. If the wire protocol was changed to specify the length of the inbound data in bytes and the driver blindly trusted no one would send more than 64 and stupidly copied the specified number of bytes without bounds checking, the same bug would be produced.
communist
At risk of being pedantic, there was a project years ago that got Android kinda-sorta working on the iPhone 3G. It was sluggish and drained your battery at an alarming rate because it didn't have any hardware-acceleration or power-management support, and it didn't let you make calls IIRC, but it was Android on an iPhone. It even set itself up in a dual-boot environment, so you could switch between Android and iOS. AFAIK, it was never developed into something that was actually usable. It also never ran on anything newer than the iPhone 3G.
20 January 2017: the End of an Error.
Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).
Same thing. The number of people who own those specific models of esoteric or generic brands is likely very low.
What the fuck is "TP-Link" anyway? *facepalm*
Not surprised at all for trusting any services management with anything other than Systemd
Fuck you, troll! This is an EMACS vulnerability, not Systemd.
They are the only ones with a fix so here they are ahead of even the popular brands. Netgear is esoteric? Yeah right.
Also you make a big deal about an incomplete list. Many routers haven't been tested yet.
And Windows Phone on the same hardware specs outperforms them all (which is why a $49 Nokia running WP is actually not a terrible experience)...........I'm pretty sure .Net has garbage collection.
It would be "same thing" iff each of those models were used by one person, on average. Is it really what you are implying here?
Every end has half a stick.
It's all ARMv8.
“Common sense is not so common.” — Voltaire
A very popular, cheap router. I see people on openwrt lists all the time.
The face palm should be directed at you for showing your lack of experience.
"Stop having people program C that do not know how to program securely in C"
Unfortunately we need more than handful of programmers ... we need the less able programmers, but we can't trust them with C.
A fact abundantly clear for 2 decades, yet C persists ... billions of dollars of unnecessary damages.
Yea I used that- I found the image a couple days ago. I think it did make calls but no texts or wifi. Or it was wifi but no calls. Either way, it was totally experimental and I never felt that iPhone get so hot. But it was my first intro to using Android and is probably why I got a nexus 7 a couple years later.
I disagree. We do _not_ need the "cheap" programmers as what they write has negative worth. The reason C persists is simple: It is the best tool for quite a few jobs and it is a good tool in the hands of an expert. The damage caused is indeed unnecessary, but it is never a tool's fault when it is wielded incompetently.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).
I had a need to get a USB scanner into a Windows 7 VM that I connected to via RDP. I put Linux USB/IP on a raspberry PI and plugged the scanner in. The Windows box got the client. I could scan. Problem solved.