Newly uncovered legacy vulnerability could put millions of routers at risk
A security flaw that dates back to the 1990s could mean that millions of Internet routers and other IoT devices around the world could be vulnerable to Denial of Service (DDoS) attacks and hijacking.
This is the warning from SEC Consult Vulnerability Lab, which published a blog posting outlining the vulnerability in an embedded software component called NetUSB.
NetUSB was developed by a Taiwanese company called Kcodes back in the 1990s. Essentially, it is a Linux kernel module that is used to provide USB device sharing on a home network or the Internet via the IP protocol.
What makes this flaw potentially so serious is that NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. It can also be used in printers, webcams, flash drives, external hard disks and many more devices.
So how does it work? Well, it seems that once NetUSB is enabled, it opens a server that listens on TCP port 20005 for connecting clients. The problem occurs because if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. That buffer overflow can then be exploited by a hacker, and could, warned SEC Consult Vulnerability Lab, result in remote code execution or denial of service.
“As part of the connection initiation, the client sends his computer name,” SEC’s report said. “This is where it gets interesting: The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow.”
To get an idea of many products this flaw affects, the security firm downloaded a bunch of firmware images from D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL. It found that 92 products out of the analysed firmware images contain the NetUSB code, which potentially means that millions of devices can be vulnerable.
Different vendors integrate NetUSB into their products, but have different names for it, which only compounds the problem.
The security firm tried to contact KCodes earlier this year, and it provided them with a detailed vulnerability analysis. Unfortunately, the Taiwanese vendor did not respond appropriately.
“They sent a few nonsensical responses and then further ignored us,” SEC said. “Afterwards, we informed TP-LINK and NETGEAR directly about the vulnerability. The other vendors were informed by CERT/CC and other CERTs.”
Router security has become an increasingly important issue in recent years. In February security specialist Proofpoint warned that spam emails can use default passwords to hack into routers.
Mobile operator EE has also admitted to a flaw in the Brightbox routers it provides to the home broadband customers that could allow a hacker to remotely access user’s account and personal information.
And recent research revealed that the notorious hacking group Lizard Squad has been using unsecured home internet routers to power its LizardStresser service, which is used for DDoS (Distributed Denial of Service) attacks against certain targets.
What do you know about Internet security? Find out with our quiz!