back to article 'Millions' of routers open to absurdly outdated NetUSB hijack

SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which …

  1. adam payne Silver badge

    So vendors have been told about this and they've known for a few months but according the advisory only one manufacturer seems to have done something about it.

    1. David Gosnell

      Sounds about par for the course. I remember raising a query with the rebadger of an old router of ours regarding what they planned to do about patching a security flaw in Busybox (the psyb0t worm, back in 2009), and needless to say my message was deleted without reading. Sadly with so much badge-engineering going on like this, the accountability trail in both directions for actually getting anything fixed is ghastly - any complaints or bug reports haven't got a hope in hell of making it back to the manufacturers, and even if the manufacturers do issue patches, the chances of the rebadgers bothering to make them available to us is about nil.

  2. Androgynous Cupboard Silver badge

    And this is a kernel module why, exactly?

    1. Anonymous Coward
      Anonymous Coward

      Because the company is too cool to use libusb…

      I just had a look to see if this was a module they contributed to the Linux kernel or if it's something proprietary. So far, research hints it's the latter.

  3. Lee D Silver badge

    "NETGEAR told us, that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices."

    Well... that's just incredibly stupid.

    That said, this is presumably only a local attack - on sensible routers - because you're not going to be exposing USB functionality to the raw Internet now, are you? Are you?

    Well... that's just incredibly stupid too.

    1. emmanuel goldstein

      from SEC Consult Vulnerability Lab:

      "While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability."

    2. ckm5

      There is a workaround

      Just don't use a NetGear device....

  4. Richard42

    So the attacher has to gain physical access to the router and plug a hacked USB device in to, I assume, gain root access to the router?

    After which they can find out the wifi password with a bit of memory dumping?

    To a router they're standing next to, that will very likely have free network ports, that they can plug into to gain access to the network they're trying to gain access to?

    I know doing it this way will give them network access remotely once they've done it, but I'm sure there are other ways of doing the same that are a lot easier (plugging your own AP in that doesn't transmit it's SSID?)

    Just doesn't seem that realistic an attack to me, so the "Millions" in the article title is the usual headline grabbing drivel.

    1. Androgynous Cupboard Silver badge

      Nope

      By the looks of it, all they have to do is connect (remotely) to the service on port 2005 and send data that will smash the stack to do whatever - fork a shell listening on port X is the obvious one. Don't see any reason why anything has to be plugged into a USB socket to exploit this.

      1. ACZ

        Re: Nope

        Yup. The security advisory says that "NetUSB suffers from a remotely exploitable kernel stack buffer overflow."

        My home router model is listed, but I'm running DD-WRT on it, so hopefully that avoids any issue with this...

        1. Dan 55 Silver badge

          Re: Nope

          Depends. First the router database on dd-wrt is absurdly out of date so if you want an up-to-date build you need to download one from the ftp site. If you want to do that you have to read the forums to see how a modern build did with your router because many builds have something wrong with them on certain routers.

          Secondly the firewall may block testing of the WAN IP from inside the LAN. You may have to trust a third party (Steve Gibson probably).

  5. LDS Silver badge

    That's why i hate multifunctinal devices...

    ... I by far prefer multiple devices each doing one function only (router, switch, file server, etc.), so I can select each one separately, but I understand such setup is more expensive and complex to configure.

    But cobbling together a lot of functions into a single device while squeezing costs will inevitably lead to a lot of low quality code written or borrowed here and there inside those devices. And each attack surface will probably compromise the other functions as well.

    IMHO they should 'virtualize' or 'containerize' each function within the device so one vulnerability in one module won't affect the whole device, or at least will make it harder to compromize the whole device, and, if needed, you can wholly turn off one module.

  6. Bob Gateaux

    So once again we are seeing the linux fail with the security holes.

    When will they learn that it is free and you are getting what you are paying for?

    1. Midnight

      Indeed. I get a much better class of ridiculous security hole when I pay for it.

    2. Anonymous Coward
      Anonymous Coward

      When will they learn that it is free and you are getting what you are paying for?

      I shudder to think how much these router makers paid KCodes for their NetUSB module. Evidently too much for what it was worth.

      Thankfully it isn't a part of the mainline Linux kernel, so none of my devices are infected with it.

    3. Lee D Silver badge

      Except the component in question is a proprietary kernel module plugged into Linux setup?

      It's like blaming Microsoft for you buying a Windows device from, say, Lenovo that came pre-installed with spyware.

  7. Stevie Silver badge

    Bah!

    *sighs* All your lightulb are belong to Blues Traveler.

  8. Anonymous Coward
    Anonymous Coward

    Are there any routers available to buy that run code written by anyone who has even the smallest clue?

    Nowadays routers are easily the most buggy, flakey and unreliable part of all of our IT landscapes and they seem to be getting worse. Are all routers developed in cheap developer shops by people simply not paid enough to care? Any premium, well designed, reliable routers out there?

    1. LDS Silver badge

      If you go for high-end routers from Cisco & C. you may get better support, and sometimes even better software, but you're going to spend a lot more and configurations are more complex, albeit far more powerful as well. And usually, you won't find all-in-one devices.

    2. Matt Piechota

      "Are there any routers available to buy that run code written by anyone who has even the smallest clue?"

      I'm not really sure how clued the RouterOS folks are, but on the surface they seem to have their #### together.

      www.mikrotik.com

    3. Mark Allen
      Flame

      Everyone wants "cheap"

      Trouble is everyone wants "cheap" or "free" routers. I have clients who get upset if I tell them a router is over £100 so instead they end up with sub-£40 devices. Devices that attempt to be routers, modems, wireless AP, print servers, USB Backups, make the tea whilst juggling three balls in the air.

      Not surprising these cheap bits of kit keep failing. Is there any profit in these silly devices? At this end of the market I can see why support is a PITA. If they have to chase a firmware update out of the manufacturer they must burn that profit away.

      It is also noticeable that even among the trusted brand names the exact same router is sold at the bottom end just with a different logo in the corner of the control panels. I get a feeling some of these companies build their own expensive kit, but bring in cheaper stuff to fill in the holes at the bottom end of the market.

      The only reason everyone is now noticing these security issues is because finally people are actually *looking* for the problems. These issues have always been there, but now we have companies who make money shouting about it.

      1. Kevin McMurtrie Silver badge
        Mushroom

        Re: Everyone wants "cheap"

        Cheap isn't the problem. Expensive "Small Business" networking gear is the worst possible mix of half-assed features, blatant flaws, and no hope for upgrades. The problem is that it's not easy to get a refund for severe software defects. They're usually treated as "dissatisfied customer" returns with a 14 day period. Require security vulnerabilities to be in the same category as manufacturing defects and then deadbeats like Netgear and whatever "Linksys" is will vanish overnight.

        Nuke icon because I have, on multiple occasions, bought and returned every single router at an electronics store.

    4. b166er

      As far as I am aware, DrayTEK routers appear to be immune to most if not all of the recent router pwnage flaws I've seen.

    5. Sgt_Oddball Silver badge

      I seem to recall draytek still do good routers, haven't heard of them falling pray to anything lately which considering the business focus of them is a good thing.

      1. Anonymous Coward
        Anonymous Coward

        Even DrayTeks...

        I have a client I visit whose VOIP system uses the cheapest Draytek router available. And that has been hit by the DNS compromise. Something is in that router and change the DNS server over. By luck these people are only running VOIP over that router, but the idiot company who supplied it are refusing to do anything about it...

    6. Anonymous Coward
      Anonymous Coward

      Asus

      Found the Asus Routers very stable, moved to MerlinWRT which works brilliantly

  9. Bert 1
    Thumb Up

    More than one router

    I have at least two routers in series. The theory being that any vulnerability in one won't be passed through to the second one. Even if the first one is pwned, the second one is still working.

    Maybe a false hope, but it makes me feel better.

  10. Badger Murphy

    And feed MORE kit to these jackals?

    ...and that is why any viable IoT solution must NOT use an IP transport protocol. If manufacturers of home routers, the gate and gatekeeper of our home networks, can't be arsed to even pay lip service to network security, what do you think the chances are that manufacturs of, say, smart coffee makers will be any better? Soon, every piece of electronics in our whole homes can join in on the bot nets.

    1. InfiniteApathy

      Re: And feed MORE kit to these jackals?

      IoT will use IP, that's already a given.

      What would you suggest in it's stead?

      I prefer a well known protocol for this as it's easier to spot the nasties & squash em. Your comment leads me to think you're after security by obscurity though I won't put words in your mouth.

    2. YetAnotherLocksmith

      Re: And feed MORE kit to these jackals?

      What do you suggest? Anything you do will be tied to an IP gateway in about 15 minutes by someone, even if you don't allow it.

      Even without, you'll end up with entire streets daisy chained together with BTLE devices paying data, or with ad hoc networks, or turning the lights on and off to get data transferred, or even, the weird virus idea bright to life, the devices communicating by ultrasound.

      So once compromised, there will still be plenty of routes for stuff to hack other stuff. After all, you'll just Google the exploit for the bit of kit you are looking at, & it will tell you what comms paths it has.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019