NetUSB hack puts Millions of home users at risk
A vulnerability has been discovered in a software component called NetUSB, which comes pre-equipped on many modern home routers, such as Netgear, TP-Link and TrendNet. The vulnerability is only partially fixed since this February whilst being really simple to exploit.
NetUSB is a technology developed by the Taiwanese company KCodes, allowing users to access their printers, flash drives and other USB devices connected to their router over the network, also called “USB over IP” functionality.
Many home devices at risk
The flaw was initially found on a TP-Link router, and it soon turned out many more brands are at risk because many devices use the NetUSB technology. Because NetUSB is often used as a licensed technology, it makes it harder to discover because each vendor uses different terminology when referring to the NetUSB feature. SEC Consult checked whether devices contain the NetUSB kernel driver and discovered that many devices, including recently released products, are at risk.
“Because of insufficient input validation, an overly long computer name can be used to overflow the “computer name” kernel stack buffer”, according to SEC Consult. The resulting memory corruption can be exploited by an attacker to easily take over the router by installing malware, spy on its users or simply wipe it clean or make it crash.
At the time of this article, it was not yet clear whether the flaw is exploitable remotely or only within the network. Some vendors already scheduled patches for their firmware (see full list) but others have yet to address the issue. KCodes was not available for comments and has not released an official statement (yet).
How to protect yourself?
If possible, completely disable the NetUSB service via the web interface of your router (unfortunately not supported by Netgear routers) and also block port 20005 on the router’s firewall. Check with your router’s manufacturer whether they are planning to schedule a patch for their device.
Chinese hacker group APT use Microsoft's Technet web portal to obfuscate their CnC servers