The vulnerability resides in the NetUSB puts millions of routers, printers, webcams, external hard drives etc under threat. This is a serious vulnerability that could allow attacker take full control on them.
Security researcher explains that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service. Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege.
What is NetUSB?
NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. It connects to the server and simulates the devices that are plugged into the embedded system locally. The service allows a users to connect the external device to a computer on a local network or the Internet via IP (Internet Protocol).
Sec Consult believe that there many other vendors might also have a vulnerable products. They have contacted to contacted to TP-Link and NetGear, as well as to the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify other vendors.
Sec Consult had mentioned that till yet only TP-Link has released fixes so far. It has a release schedule for around 40 products. Netgear, D-Link and ZyXEL did not immediately respond to the security report they made.
According to SEC Consult, the NetUSB feature was enabled on all devices checked, and the service was still running even when no USB devices were connected. It is possible for users to disable the features on some of the devices from the Web-based administration interface or to block access to the port using the firewall feature. But on some device manufactured by NetGear, it is not possible to disable the feature.