Eighteen makers of IT enterprise and home networking equipment including Cisco Systems and Western Digital have been notified about a driver bug that could allow an attacker to get into routers, access points and other gear through software that allows people to connect USB devices like hard drives, printers, speakers.
The U.S. CERT (Computer Emergency Response Team) notified the 18 companies after Austria-based SEC Consult discovered a vulnerability in the NetUSB kernel created by a Taiwan company called KCodes and used by many equipment makers. SEC Consult revealed the bug Tuesday.
KCodes describes itself as “the world’s premier technology provider of mobile printing, audio and video communication, file sharing, and USB applications for iPhones, iPads, smart phones and tablets, MacBooks, and Ultrabooks.”
Manufacturers often describe its USB over IP technology in their gear as enabling print sharing or having a USB share port.
But SEC Consult says NetUSB suffers from a remotely exploitable kernel stack buffer overflow. “Because of insufficient input validation, an overly long computer name can be used to overflow the “computer name” kernel stack buffer. This results in memory corruption which can be turned into arbitrary remote code execution,” it says in a warning.
“Here we have another case that shows the sad state of embedded systems security. Because the same vendors are building the IoT devices of tomorrow, we will see a lot of this in the future.”
SEC Consult says it has tried unsuccessfully since February to communicate with KCodes about the problem. As of yesterday only TP-LINK had released fixes for the vulnerability and provided a release schedule for about 40 products, it said.
Sometimes NetUSB can be disabled via the web interface, the SEC Consult advisory added, but at least on Netgear devices it tested the vulnerability wasn’t disabled. The consulting company says it was told by Netgear that there is no workaround available, that the TCP port can’t be firewalled nor is there a way to disable the service on their devices.
Manufacturers notified by CERT include ALLNET GmbH, Ambir Technologies, Asante, D-Link Systems Inc.,
Digitus,Edimax Computer Company, Encore Electronics, IOGEAR, LevelOne, Linksys, Longshine Networking, PROLiNK Fida Intl., TRENDnet, Western Digital Technologies and ZyXEL.
Network IT pros need to keep an eye out for patches or workarounds from vendors that attempt to resolve this problem.