animind - Fotolia
Security researchers recently discovered a major router vulnerability in a widely used Linux kernel driver that could lead to hackers compromising millions of connected devices.
The driver, dubbed NetUSB, was developed by Taiwan-based KCodes Technology. SEC Consult Vulnerability Lab, which discovered the NetUSB flaw last week, identified 26 vendors whose products were likely affected by the router flaw.
NetUSB, known for its functionality as a USB share port or an IP over USB, allows multiple users to be connected to a bundle of products that are plugged into the router. The discovered vulnerability is present in the authentication step of the router set up. After authentication, the client is requested to send a name as part of this confirmation.
"This is where it gets interesting," a blog post on the SEC Consult website said. "The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket."
"While NetUSB was not accessible from the Internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the Internet," the SEC Consult blog post said. "We don't know if this is due to user misconfiguration or the default setting within a specific device."
The NetUSB code is used in myriad of routers and connected devices from vendors such as D-Link, Netgear, TP-LINK, Trendnet and ZyXEL. Several vendors responded to SEC Consult's notification of the router vulnerability; ZyXEL and Netgear announced they will have firmware updates addressing the NetUSB flaw in June and July, respectively. D-Link announced it will release a patch this week for a legacy router, which was the only product affected by the flaw. TP-LINK, meanwhile, has already released a firmware update.
"Once we got the feedback from SEC Consult, we attached high importance [to the issue] and arranged [a] Firmware Update immediately," a TP-LINK representative told SearchSecurity in an email. "TP-LINK is always responsible for customers and devoted to [making] the products most reliable and safe."
The NetUSB threat: Moderate or severe?
SEC Consult also notified the Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, as well as other CERT branches, to spread the word and get patches in place for the USB connections. Such exploits are not new to NetUSB, according to Art Manion and Garret Wassermann, vulnerability analysts at the CERT Division.
"A buffer overflow type of vulnerability means it's C, C++ code," Manion said, adding that buffer overflows have been around since the '90s. "It's not a new type of vulnerability, but they still happen a lot."
The Linux kernel drivers used in NetUSB would most likely be written in C, Manion said. It would not make sense to code routers in Java, for example, but in network applications and Web interface for managing the router it would.
"C lets the developer do whatever they want with memory," Manion said. "That's very powerful if you're writing something that needs to be very fast. One of the dangers is it lets you do whatever you want, and you can make a mistake such as a buffer overflow or get yourself in loops."
Efficiency in memory and CPU usage make C ideal in this situation, despite more room for error.
"Java runs on top of the Java virtual machine, [adding] a lot of overhead, which is not feasible for a lot of the small embedded devices," Wassermann said. "They don't have a lot of memory and processing power to do that."
Code scanning and secure coding are two measures that a developer can take to detect this kind of flaw. Interface -- or "fuzz" -- testing is also a viable option. Manion nevertheless commended the vendors for responding to the flaw, saying that it was rare for such vendors to respond at all.
SOHO routers and NAS products compete on price and are ubiquitous in the market, according to Manion, and they are rarely updated -- even if new firmware is released. The NetUSB router issue was a medium on the CERT scale, but Manion said that higher-level issues are common as well.
"In the past, we've seen a few cases where vulnerabilities in code, which is shared by many embedded devices, have a huge security impact," according to SEC Consult's blog.
Some routers are shipped by default with the TCP port open to the Internet; this can lead to big issues affecting tens of thousands of customers. Such was the case last year with "The Moon" router vulnerability.
While the routers that SEC Consult examined lacked connections to the Web, they did find evidence of devices that expose the TCP port to the Internet. This creates an inherently different problem, allowing attackers to remotely control USB devices. That would be a severe issue, according to CERT, as would allowing for code to run through the router.
"Instead of sending a whole lot of garbage, if you carefully send a sort of string in the buffer overflow -- instead of crashing, it will actually run the code that you gave it," Manion said. "In that case I can do all sorts of things to the router: I can tell it to use a different DNS server, I can tell it route its traffic a different way, I can tell it to open itself up to the Internet -- if it was code execution, that's a more severe impact usually than just crashing it."
But for now, without exposure to the Internet, it's unlikely that an attacker would be able to crash the router deliberately since they would have to be plugged directly into the network or on the wireless network.
"Here we have another case that shows the sad state of embedded systems security," the SEC Consult blog reads, "Because the same vendors are building the IoT devices of tomorrow, we will see a lot of this in the future."