Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

Posted by Soulskill on from the it's-not-even-another-day-yet dept.

itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.

36 of 70 comments (clear)

  1. NOT a kernel bug by Lost+Race · · Score: 5, Informative

    This is some crappy proprietary firmware library for very low cost network devices. As TFA mentions, we can expect a lot more of these vulnerabilities in the "IoT".

    1. Re:NOT a kernel bug by Dagger2 · · Score: 4, Insightful

      It may not be part of the mainline Linux kernel, but the "firmware library" here is a kernel module, so this bug is a kernel-mode remote execution vulnerability. Which... probably isn't that much worse than a userland vulnerability for this type of device, where everything typically runs as root anyway, but still.

    2. Re:NOT a kernel bug by nevermore94 · · Score: 2

      These are not all necessarily "very low cost network devices". I have the Netgear R7000 which is in the list and at the time I bought it it was one of the highest rated and most expensive home WiFi routers available. Granted, these are not corporate infrastructure level devices, but they are certainly not all "very low cost" ones either.

      --
      Nevermore.
    3. Re:NOT a kernel bug by mattventura · · Score: 1

      This is just yet another reason on the already long list of why I never use consumer routers. Between the awful specs, terrible proprietary firmwares, and swiss cheese security, I've decided to just use only repurposed hardware for routers. Almost anything past the P4 era can route at gigabit speeds without the need for "NAT accel" hardware (aka "our hardware is so slow that it needs NAT acceleration to do what a thrown-out PC can do"). That, or look for used professional gear.

      Pretty much the only thing that proprietary consumer stuff does better is wifi APs.

  2. DD-WRT / other open source router software? by Bovius · · Score: 5, Interesting

    The advisory focuses on hardware brands - doesn't mention anything about aftermarket software. Anyone know?

  3. Millions by StikyPad · · Score: 2

    If by "millions" you mean "one or two with computer names longer than 64 characters." At least for external threats. For internal threats on public WiFi, the networks should always be presumed to be insecure. For private networks, you already control the devices that connect because you have a secure passphrase, right? Right?

    --
    https://www.eff.org/https-everywhere
    1. Re:Millions by IMightB · · Score: 1

      Not only that, but it appears that it needs to be internal (as in physical access), a name longer than 64 character PLUS connected via USB. I cannot think if too many instances where this is a mission critical combination.

  4. Re:0 terminated strings are the root of all exploi by buchner.johannes · · Score: 1

    It actually does not. You can even get faster performance with garbage collection.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. This is what you get for not using Systemd by Anonymous Coward · · Score: 1

    Not surprised at all for trusting any services management with anything other than Systemd

  6. DD-WRT no. Vuln. if proprietary & shares webca by raymorris · · Score: 2

    The vulnerable module appears to be proprietary, not open source, so dd-wrt and other open source firmware wouldn't include it.

    If you have a router or similar device with a USB port which can be used to share USB printers and webcams, it's vulnerable. Sharing of USB STORAGE is done differently.

  7. Proprietary, not open source by raymorris · · Score: 4, Insightful

    The buggy software is not open source. It is proprietary. I'll FTFY, updating your post to reflect that it's proprietary software:

    Another day another MASSIVE security problem caused by proprietary software. I cannot wait for this shitty industry of crappy software written by crappy programmers hired by managers focused purely on profit to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why proprietary software should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.

  8. Who needed it? by Opportunist · · Score: 2

    Seriously. NetUSB? On a router? WHY the devil would I want that?

    But lemme guess: It was cheap to add, it was a feature that we can tack onto the "look, shiny!" list of things the router can do and people simply count down the "features" of a router whether they need them or even know what the fuck they are.

    Meanwhile, it becomes near impossible to buy a router that is JUST THAT. A router. And in case you're wondering "hey, why would you want that when you can have $feature on top of it for FREE?", look no further than this exploit. Without the useless gadget that netUSB is, this exploit would not exist!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Who needed it? by wed128 · · Score: 1

      So...disable all the features you aren't using to minimize your threat surface?

    2. Re:Who needed it? by amorsen · · Score: 4, Interesting

      Seriously. NetUSB? On a router? WHY the devil would I want that?

      Printer sharing. A problem that was solved well in the 80's and since re-solved slightly worse every few years. It is difficult to imagine a worse way than NetUSB, but I am sure there are developers out there with a better imagination than mine.

      --
      Finally! A year of moderation! Ready for 2019?
    3. Re:Who needed it? by drinkypoo · · Score: 1

      It was solved in the 80s and then crapped on in the 90s in the name of making ever-cheaper disposable printers for the purpose of selling million-dollar ink cartridges and print heads.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Who needed it? by NJRoadfan · · Score: 2

      NetUSB is used by some printer servers to allow use of USB only All-in-One printers and scanners over a network. I had to fix a setup once, and it was nothing but a buggy mess. The printer and its drivers were never designed to be used in a shared environment and the client machines needed some really ugly "Virtual USB" driver to fool the AIO's software into thinking it was directly connected to the machine. It worked sometimes, just never EVER try to print or scan from multiple machines at once.

    5. Re:Who needed it? by Opportunist · · Score: 1

      I do. If that's possible at all. Besides, not always does "disabling" a service really render it secure against an exploit targeting it. That's the whole point behind an exploit, that whatever it attacks does not behave as it should.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Who needed it? by chuckugly · · Score: 1

      Yes, however the last time I was in Costco I looked at the cheap printers, and the $140 multifunction scanner, doc-feeder, photo ink-jet with duplexer (some fly by night outfit named HP made it) had a touch screen interface and WiFi.

      So yeah, not seeing this as a really killer feature in a router. I guess that's why my router doesn't have a USB port.

    7. Re:Who needed it? by bmo · · Score: 1

      >What was the solution in the 80s that you are referring to?

      Ethernet.

      Either it has wifi or an "RJ45" jack on the back or it's crap.

      --
      BMO

    8. Re:Who needed it? by _merlin · · Score: 1

      There are lots of solutions:

      • JetDirect - print server listens on a TCP socket, clients treat the socket the way they would a serial port with the same printer model attached. No job management or anything, but very simple to implement.
      • AppleTalk PAP - printer requests data from client as it needs it, client polls printer for status. Printer status and job management are done in a standardised way for all printers. But it depends on obsolete protocols.
      • lpr/lpd - the UNIX equivalent to AppleTalk PAP. Runs over TCP/IP, provides standardised printer status and job management, easy to proxy/multiplex, supported out-of-the-box on most modern operating systems.
      • Windows Printing - kind of like AppleTalk PAP but using NetBIOS instead of AppleTalk. All the printer status and job management functionality, but a bit cumbersome to use. Works well on OSX and Windows clients.
      • IPP - a "modern" HTTP-based printing protocol. Should do anything the other solutions can do, but better. Used by CUPS, and supported on Windows since Win2k. Also used by iOS for printing.

      As for standardised printer control languages, there's HP PCL (printer can be relatively dumb), HP-GL (vector protocol really intended for plotters), SPL (Samsung's equivalent to HP PCL), PostScript (requires fairly heavy runtime to render), and PDF (declarative page description language). A print server should be able to handle at least one of them.

      The way it used to work was there were "workgroup printers" with a built-in NIC and print server. They'd usually be able to interpret PCL or PostScript so anyone could print to them with a driver for one of these languages. But they were expensive.

      So you could connect a printer to a computer and get the computer to act as the print server and share it on the network. If you had a driver for the printer on this computer, you could make it translate PCL or PostScript to the printer's (probably proprietary) native language so clients still wouldn't need a special driver, only the print server would.

      But using a computer as a print server looks overly complex, so you got dumb print server boxes. You can't install fancy print drivers on these boxes, so they just proxy a TCP port to the serial/parallel port the printer is connected to (JetDirect). Each client needs drivers for the specific printer(s), and it prints as though it had the printer attached locally to a serial port.

      NetUSB is the next step in this devolutionary chain. It's like the dumb print server adapted to USB rather than serial/parallel. The client machines have a driver for the specific printer(s) and the USB I/O is redirected over the network.

  9. OpenBSD by Anonymous Coward · · Score: 1

    They should be using OpenBSD in routers anyway.

  10. pfsense for the win by cyberjock1980 · · Score: 1

    Still glad I'm using my pfsense router.

    I have no doubt that there are plenty of devices that suffer from this vulnerability and will never see a firmware update because they'd rather you "buy some shiny new hardware that will not have this vulnerability". Well, guess what? I bought my last 2 routers for that reason, and I shouldn't have to buy a new one every 2 years because the manufacturer went cheap-and-dirty.

  11. More pointedly by ThatsNotPudding · · Score: 1

    You should also state (based on their response to this vulnerability), the institute will nullify their degree if they are found to be purchasing Netgear products.

  12. NetUSB=proprietary. Is there an open replacement? by Ungrounded+Lightning · · Score: 2

    It happens I could use remote USB port functionality.

    (Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)

    So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  13. Re:0 terminated strings are the root of all exploi by 0123456 · · Score: 1

    It actually does not. You can even get faster performance with garbage collection.

    Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware.

  14. Re:0 terminated strings are the root of all exploi by gweihir · · Score: 1

    Fail.

    Actually: Stop having people program C that do not know how to program securely in C. 0-terminated strings are fine in some contexts and not in others. The problem is people that cannot tell which is which.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re: 0 terminated strings are the root of all explo by CSMoran · · Score: 1

    Slashdot: Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

    TFA: Tiny list of router models affected.

    FTFY

    --
    Every end has half a stick.
  16. Re:0 terminated strings are the root of all exploi by EmeraldBot · · Score: 1

    It actually does not. You can even get faster performance with garbage collection.

    Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware .

    Since when does Android run on iOS devices? It doesn't?

    . . . . .

    Then it's not the same hardware.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  17. Re:0 terminated strings are the root of all exploi by ncc74656 · · Score: 1

    Since when does Android run on iOS devices? It doesn't?

    At risk of being pedantic, there was a project years ago that got Android kinda-sorta working on the iPhone 3G. It was sluggish and drained your battery at an alarming rate because it didn't have any hardware-acceleration or power-management support, and it didn't let you make calls IIRC, but it was Android on an iPhone. It even set itself up in a dual-boot environment, so you could switch between Android and iOS. AFAIK, it was never developed into something that was actually usable. It also never ran on anything newer than the iPhone 3G.

    --
    20 January 2017: the End of an Error.
  18. Re:NetUSB=proprietary. Is there an open replacemen by mattventura · · Score: 2

    Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).

  19. Re:0 terminated strings are the root of all exploi by SQLGuru · · Score: 1

    And Windows Phone on the same hardware specs outperforms them all (which is why a $49 Nokia running WP is actually not a terrible experience)...........I'm pretty sure .Net has garbage collection.

  20. Re: 0 terminated strings are the root of all explo by CSMoran · · Score: 1

    It would be "same thing" iff each of those models were used by one person, on average. Is it really what you are implying here?

    --
    Every end has half a stick.
  21. Re:0 terminated strings are the root of all exploi by OrangeTide · · Score: 1

    It's all ARMv8.

    --
    “Common sense is not so common.” — Voltaire
  22. Re:0 terminated strings are the root of all exploi by Pinky's+Brain · · Score: 1

    "Stop having people program C that do not know how to program securely in C"

    Unfortunately we need more than handful of programmers ... we need the less able programmers, but we can't trust them with C.

    A fact abundantly clear for 2 decades, yet C persists ... billions of dollars of unnecessary damages.

  23. Re:0 terminated strings are the root of all exploi by gweihir · · Score: 1

    I disagree. We do _not_ need the "cheap" programmers as what they write has negative worth. The reason C persists is simple: It is the best tool for quite a few jobs and it is a good tool in the hands of an expert. The damage caused is indeed unnecessary, but it is never a tool's fault when it is wielded incompetently.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  24. Re:NetUSB=proprietary. Is there an open replacemen by tbuskey · · Score: 1

    Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).

    I had a need to get a USB scanner into a Windows 7 VM that I connected to via RDP. I put Linux USB/IP on a raspberry PI and plugged the scanner in. The Windows box got the client. I could scan. Problem solved.