Published on May 21st, 2015 📆 | 6053 Views ⚑0
Critical vulnerability in NetUSB driver exposes millions of routers to hacking
Millions of routers vulnerable to stack overflow hack due to NetUSB driver flaw
Security researchers have discovered a stack overflow vulnerability in NetUSB drivers which power almost majority of routers and other Internet of Things devices. The flaw allows potential hackers to use the compromised routers to conduct Distributed Denial of Service attacks and even remotely hijack the routers
Security researchers from Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service which can then be exploited for malicious purpose.
The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more.
NetUSB is implemented in Linux-based embedded systems, such as routers and Internet of Things connected devices as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients.
The researchers have stated that since NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices and gain highest privilege.
Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port.
Sec Consult researchers aid that they found the following routers to be vulnerable to the flaw.
TP-Link WR1043ND v2
However the bad news is that they believe that any of the routers which have the NetUSB.ko driver may be vulnerable to the flaw. As of now they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable.