Simple but Critical NetUSB Flaw Leaves Millions of Home Routers Open to Attack

Article 46 Ransomware new trick Double Encrypted data

An amazingly simple flaw called NetUSB has potentially endangered millions of home routers around the world, leaving them vulnerable to attacks.

The vulnerability is located in the NetUSB component that’s a fixture on plenty of modern routers. The routers that are vulnerable include models from:

  • TrendNet
  • Netgear
  • TP-Link
  • D-Link
  • Zyxel, among others.

The NetUSB module and how it works

A Taiwanese vendor KCodes, produces NetUSB, which helps users to plug printers, flash drives, external hard drives and other USB connectibles to the modem-router, in order to access them readily over the network at a higher bandwidth. NetUSB is installed as a kernel driver on routers and once enabled, it opens up a server that listens on port 20005 on a TCP connection for clients connecting on the network.

The vulnerability

Sec Consult, the security firm who discovered the flaw noted that a connecting computer having a name longer than 64 characters could trigger a stack buffer overflow in the NetUSB service. Security researchers from the firm concluded that this vulnerability can facilitate remote code execution, a critical threat or even denial of service.

Vitally, the NetUSB service runs in kernel mode. Due to this, attackers who push through the vulnerability and exploit the flaw have the means to execute malicious code on the devices connected to the router, with the highest admin privileges. These findings and more, were published in a blog post by Sec Consult security researchers.

So far, Sec Consult has confirmed the existence of the vulnerability in 3 routers, namely:

  • TP-Link TL-WDR4300 V1
  • TP-Link WR1043ND v2
  • Netgear WNDR4500

Sec consult, on further research and scanning of firmware images of various different routers for the existence of the installed NetUSB.ko driver, assert that a further 92 products are vulnerable, as mentioned in this list.

“It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level,” said Jacob Holcomb, a security analyst.

This is just one in a long list of fundamental security flaws and vulnerabilities found in consumer routers in recent years, putting consumers’ privacy at stake, according to Holcomb.

Router manufacturers’ acknowledgement

A TP-Link spokesperson directly addressed the vulnerability and responded to it, saying the issue has been taken up as a priority by the company ever since Sec Consult made the world aware of the issue. “TP-Link is the only vendor that has already started releasing fixed firmware and has a schedule of continuously updating firmware,” they added.

A D-Link spokesperson noted this, saying: “We are not aware of this security issue affecting any D–Link products but are currently carrying out the necessary investigations to ensure all products comply with safety and quality standards.”

A quick, temporary fix

Users having USB enabled routers are advised to check if the NetUSB service is running at all times even if no USB devices are attached. If this is the case, a manual switching-off of the service is recommended.

“We are recommending to disable the service (if supported by the vendor) and block port 20005 with a firewall. For Netgear devices there is no workaround according to the vendor – there is no possibility to disable the service or block the port with an integrated firewall. Hence an additional firewall would be needed,” said Johannes Greil, head of SEC Consult Vulnerability Lab.