Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Millions of Routers open to attack due to a NetUSB flaw

A simple vulnerability has been uncovered in the NetUSB component, millions of modern routers and other IoT devices are exposed to the risk of cyber attacks The security expert Stefan Viehbock from SEC Consult Vulnerability Lab has reported a critical vulnerability (CVE-2015-3036) that potentially affects millions of routers and Internet of Things devices using the KCodes […]

Millions of Routers open to attack due to a NetUSB flaw

A simple vulnerability has been uncovered in the NetUSB component, millions of modern routers and other IoT devices are exposed to the risk of cyber attacks

The security expert Stefan Viehbock from SEC Consult Vulnerability Lab has reported a critical vulnerability (CVE-2015-3036) that potentially affects millions of routers and Internet of Things devices using the KCodes NetUSB component. An attacker could exploit the flaw in the NetUSB to remote hijacking the devices or to cause a denial of service attack. Unfortunately, the impact of flaw is large because the NetUSB component is integrated into modern routers provided by major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet. The vulnerability is a remotely exploitable kernel stack buffer overflow and resides in the KCodes NetUSB, which is a Linux kernel module which allows USB devices plugged into routers (i.e. Printers and external hard drives) the connection to the network over TCP port 20005 . Vienbock explained that it is quite easy to trigger the vulnerability by using a connecting computer name longer than 64 characters, which causes a stack buffer overflow in the NetUSB service, resulting in memory corruption. “By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket,” Vienbock saysBecause of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].” As highlighted by the expert, IT industry is front of a ‘rare’ remote kernel stack buffer overflow: “Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow.” TP-Link has already issued patches for 40 of its devices, the same for the company Netgear and Trendnet, but other vendors including D-Link are potentially exposed to attacks. Below the complete list of affected devices found by the researcher: “ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL “ “To get an idea how many products are affected, we downloaded a bunch of firmware images from D-Link, NETGEAR, TP-LINK, Trendnet and ZyXEL (actually, we downloaded all of them). Then we checked if those firmware images contain the NetUSB kernel driver (NetUSB.ko). We found 92 products out of the analysed firmware images that contain the NetUSB code. A list of affected products can be found in our advisory. We did not check the firmware of the remaining 21 vendors. Many affected products are high-end devices and were released very recently (yes, even the ones that look like spaceships!). NetUSB flaw trendnet Viehbock has reported the flaw to the US-CERT, and other emergency response teams from Germany and Austria. Be aware the NetUSB feature was enabled on all devices analyzed by the expert and it is important to note that the service is still running even when no USB devices are connected. A possible mitigation action for the vulnerability discovered by Viehbock consists in  disabling NetUSB from the admin console of the device, a solution that works only on specific devices. Experts suggest to block access to port 20005 using a firewall. Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] [adrotate banner=”12″]
Pierluigi Paganini (SecurityAffairs – hacking, KCodes NetUSB) [adrotate banner=”5″] [adrotate banner=”13″]