Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

Posted by Soulskill on from the it's-not-even-another-day-yet dept.

itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.

5 of 70 comments (clear)

  1. NOT a kernel bug by Lost+Race · · Score: 5, Informative

    This is some crappy proprietary firmware library for very low cost network devices. As TFA mentions, we can expect a lot more of these vulnerabilities in the "IoT".

    1. Re:NOT a kernel bug by Dagger2 · · Score: 4, Insightful

      It may not be part of the mainline Linux kernel, but the "firmware library" here is a kernel module, so this bug is a kernel-mode remote execution vulnerability. Which... probably isn't that much worse than a userland vulnerability for this type of device, where everything typically runs as root anyway, but still.

  2. DD-WRT / other open source router software? by Bovius · · Score: 5, Interesting

    The advisory focuses on hardware brands - doesn't mention anything about aftermarket software. Anyone know?

  3. Proprietary, not open source by raymorris · · Score: 4, Insightful

    The buggy software is not open source. It is proprietary. I'll FTFY, updating your post to reflect that it's proprietary software:

    Another day another MASSIVE security problem caused by proprietary software. I cannot wait for this shitty industry of crappy software written by crappy programmers hired by managers focused purely on profit to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why proprietary software should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.

  4. Re:Who needed it? by amorsen · · Score: 4, Interesting

    Seriously. NetUSB? On a router? WHY the devil would I want that?

    Printer sharing. A problem that was solved well in the 80's and since re-solved slightly worse every few years. It is difficult to imagine a worse way than NetUSB, but I am sure there are developers out there with a better imagination than mine.

    --
    Finally! A year of moderation! Ready for 2019?