The Department of Homeland Security-sponsored CERT at Carnegie Mellon University today issued an alert warning of a serious vulnerability in KCode NetUSB, which is integrated into products sold by a number of networking vendors.
KCodes NetUSB is a Linux kernel module that enables several users on a local network to share USB-based services over IP.
The vulnerability, reported by Stefan Viehbock of SEC Consult Vulnerability Lab, must be patched via new firmware. To date, SEC Consult said, only TP-Link has provided a fix and has a release schedule for 40 of its products. It is unknown whether products from Cisco, D-Link, Linksys, TrendNet and others are affected.
“An unauthenticated attacker on the local network can trigger a buffer overflow that may result in a denial of service or remote code execution,” the advisory said, paraphrasing the report submitted by Viehbock. “Some device default configurations may allow a remote attacker as well.”
The vulnerability in question, CVE-2015-3036, is a buffer overflow that could enable an attacker to either crash the device running the kernel module, or in some cases, remotely run code.
“Computer client data provided when connecting to the NetUSB server is not properly validated by the driver before processing,” said the CERT advisory, again citing Viehbock.
Viehbock, who is best known for a 2011 paper called “Brute Forcing Wi-Fi Protected Setup,” provided proof-of-concept code in an advisory published by SEC Consult.
“NetUSB suffers from a remotely exploitable kernel stack buffer overflow. Because of insufficient input validation, an overly long computer name can be used to overflow the “computer name” kernel stack buffer,” Viehbock wrote. “This results in memory corruption which can be turned into arbitrary remote code execution.”
The CERT/CC alert, however, points out that it has not been able to confirm the security issue with KCodes. But SEC Consult said the vulnerability has been verified in TP-Link TL-WDR4300 V1, TP-Link WR1043ND V2, and Netgear WNDR4500. The advisory also includes a long list of D-Link, Netgear, TP-Link, TrendNet and Zyxel gear that runs KCodes NetUSB, along with a list of vendors whose products used embedded KCodes drivers.
“Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR devices this does not mitigate the vulnerability,” Viehbock said with regard to a workaround. “NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices.”
SEC Consult explained that it did its analysis of the NetUSB driver on a TP-Link device. In addition to the buffer overflow issue, a mutual authentication check proves to be pointless, the researchers said, because the AES key used in the check is static and is found in the kernel driver and client software for Windows and OS X.
“As part of the connection initiation, the client sends his computer name. This is where it gets interesting: The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket,” SEC Consult said. “Easy as a pie, the ’90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow.”
The researchers said they reached out to KCodes in February with details on the vulnerability and proof of concept code, but were ignored.