Potentially millions of devices around the globe – notably routers – are vulnerable due to a remotely exploitable kernel stack buffer overflow (CVE-2015-3036) identified in NetUSB, a Linux kernel module developed by Taiwan-based KCodes that is used to provide USB device sharing on a home network.
The issue presents itself when a client sends the computer name as part of the “connection initiation,” a Tuesday blog post stated, explaining that the stack buffer overflows when specifying a name longer than 64 characters.
“Because of insufficient input validation, an overly long computer name can be used to overflow the “computer name” kernel stack buffer,” according to a Tuesday advisory. “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].”
The vulnerability was identified by researchers with SEC Consult, who initially discovered the issue in on a TP-LINK device and later verified that the bug exists in the most recent firmware versions of TP-LINK TL-WDR4300 V1, TP-LINK TL-WR1043ND V2, and NETGEAR WNDR4500.
SEC Consult went on to identify NetUSB in the most recent firmware versions of several other products, including D-Link DIR-615 C, as well as several other NETGEAR, TP-Link, TRENDnet, and ZyXEL devices.
Altogether, based on data embedded in KCodes drivers, researchers believe the following are among vendors that are affected: ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL.
According to the advisory, SEC Consult contacted KCodes numerous times throughout February and into March, but a fix was not made available. SEC Consult later contacted TP-LINK and NETGEAR, as well as CERT Coordination Center (CERT/CC) and other CERTs, before making a public disclosure.
“To this day, only TP-LINK released fixes for the vulnerability and provided a release schedule for about 40 products,” the blog post said. “Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR devices this does not mitigate the vulnerability. NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices.”
According to a CERT/CC advisory, blocking port 20005 on the local network could help mitigate the issue by preventing access to the service.