Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.

NOT a kernel bug

[Lost+Race]

This is some crappy proprietary firmware library for very low cost network devices. As TFA mentions, we can expect a lot more of these vulnerabilities in the "IoT".

Re:NOT a kernel bug

[Dagger2]

It may not be part of the mainline Linux kernel, but the "firmware library" here is a kernel module, so this bug is a kernel-mode remote execution vulnerability. Which... probably isn't that much worse than a userland vulnerability for this type of device, where everything typically runs as root anyway, but still.

Re:NOT a kernel bug

[nevermore94]

These are not all necessarily "very low cost network devices". I have the Netgear R7000 which is in the list and at the time I bought it it was one of the highest rated and most expensive home WiFi routers available. Granted, these are not corporate infrastructure level devices, but they are certainly not all "very low cost" ones either.

DD-WRT / other open source router software?

[Bovius]

The advisory focuses on hardware brands - doesn't mention anything about aftermarket software. Anyone know?

Millions

[StikyPad]

If by "millions" you mean "one or two with computer names longer than 64 characters." At least for external threats. For internal threats on public WiFi, the networks should always be presumed to be insecure. For private networks, you already control the devices that connect because you have a secure passphrase, right? Right?

DD-WRT no. Vuln. if proprietary & shares webca

[raymorris]

The vulnerable module appears to be proprietary, not open source, so dd-wrt and other open source firmware wouldn't include it.

If you have a router or similar device with a USB port which can be used to share USB printers and webcams, it's vulnerable. Sharing of USB STORAGE is done differently.

Proprietary, not open source

[raymorris]

The buggy software is not open source. It is proprietary. I'll FTFY, updating your post to reflect that it's proprietary software:

Another day another MASSIVE security problem caused by proprietary software. I cannot wait for this shitty industry of crappy software written by crappy programmers hired by managers focused purely on profit to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why proprietary software should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.

Who needed it?

[Opportunist]

Seriously. NetUSB? On a router? WHY the devil would I want that?

But lemme guess: It was cheap to add, it was a feature that we can tack onto the "look, shiny!" list of things the router can do and people simply count down the "features" of a router whether they need them or even know what the fuck they are.

Meanwhile, it becomes near impossible to buy a router that is JUST THAT. A router. And in case you're wondering "hey, why would you want that when you can have $feature on top of it for FREE?", look no further than this exploit. Without the useless gadget that netUSB is, this exploit would not exist!

Re:Who needed it?

[amorsen]

Seriously. NetUSB? On a router? WHY the devil would I want that?

Printer sharing. A problem that was solved well in the 80's and since re-solved slightly worse every few years. It is difficult to imagine a worse way than NetUSB, but I am sure there are developers out there with a better imagination than mine.

Re:Who needed it?

[NJRoadfan]

NetUSB is used by some printer servers to allow use of USB only All-in-One printers and scanners over a network. I had to fix a setup once, and it was nothing but a buggy mess. The printer and its drivers were never designed to be used in a shared environment and the client machines needed some really ugly "Virtual USB" driver to fool the AIO's software into thinking it was directly connected to the machine. It worked sometimes, just never EVER try to print or scan from multiple machines at once.

NetUSB=proprietary. Is there an open replacement?

[Ungrounded+Lightning]

It happens I could use remote USB port functionality.

(Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)

So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)

Re:NetUSB=proprietary. Is there an open replacemen

[mattventura]

Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).