TP-LINK scheduled fixes for about 40 of its products

May 19, 2015 21:33 GMT  ·  By

NetUSB code used in products from D-Link, NETGEAR, TP-LINK, TRENDnet and ZyXEL for sharing different USB devices over the network includes a vulnerability that could be exploited for arbitrary remote code execution.

Tracked as CVE-2015-3036, the security flaw is a remote kernel stack buffer overflow that can be triggered by a client when connecting to the server deployed on the networking device (TCP port 20005).

“Rare”​ remote kernel stack buffer overflow

NetUSB technology is developed by KCodes, a company from Taiwan, to provide USB over IP functionality. It relies on a Linux kernel driver to launch a server that communicates with a client available in software on computer systems running Windows or OS X.

The feature allows users to emulate on the computer a USB device (printer, hard drive) connected to an embedded system, such as a router or access point. The capability is known under different names, “ReadySHARE,” “USB share port” or “print sharing” being a few of them.

According to Austria-based SEC Consult Vulnerability Lab, the client sends the computer name to the server when the connection between the two is established.

However, if the client delivers to the server a name longer than 64 characters, the stack buffer overflows upon reception from the socket. “All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow,” the researchers said in a blog post on Tuesday.

For the connection to occur, authentication is required, based on an AES encryption key; but researchers say that the key is present both in the kernel driver and in the client software installed on the computer system.

Some routers are exposed to the Internet, some fixes are on their way

SEC Consult checked the firmware versions in products from the aforementioned vendors and found that 92 of them contained the NetUSB code. The full list, provided in the vulnerability advisory, contains a total of 97 devices, but five of them are no longer supported by their manufacturers.

The vulnerability has been confirmed in gigabit routers from TP-Link (TL-WDR4300 v1 and v2) and NETGEAR (WNDR4500). Based on its research, SEC Consult believes that 26 vendors use the technology from KCodes.

“While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability,” the researchers say.

At the moment, TP-LINK has released fixes for the NetUSB vulnerability and scheduled patches for about 40 products.

In some cases, a workaround is available, consisting in disabling NetUSB via the web interface, but this action does not mitigate the issue on all affected devices.

NETGEAR said that, on their products, the risk cannot be alleviated because the TCP port used by the server cannot be firewalled and there is no way to disable the service.