BEST OF THE WEB

Network equipment at risk from USB driver bug

Eighteen makers of IT enterprise and home networking equipment including Cisco Systems and Western Digital have been notified about a driver bug that could allow an attacker to get into routers, access points and other gear through software that allows people to connect USB devices like hard drives, printers, speakers.

The U.S. CERT (Computer Emergency Response Team) notified the 18 companies after Austria-based SEC Consult discovered a vulnerability in the NetUSB kernel created by a Taiwan company called KCodes and used by many equipment makers. SEC Consult revealed the bug Tuesday.

KCodes describes itself as “the world’s premier technology provider of mobile printing, audio and video communication, file sharing, and USB applications for iPhones, iPads, smart phones and tablets, MacBooks, and Ultrabooks.”

Manufacturers often describe its USB over IP technology in their gear as enabling print sharing or having a USB share port.

But SEC Consult says NetUSB suffers from a remotely exploitable kernel stack buffer overflow. “Because of insufficient input validation, an overly long computer name can be used to overflow the “computer name” kernel stack buffer. This results in memory corruption which can be turned into arbitrary remote code execution,” it says in a warning.

“Here we have another case that shows the sad state of embedded systems security. Because the same vendors are building the IoT devices of tomorrow, we will see a lot of this in the future.”

SEC Consult says it has tried unsuccessfully since February to communicate with KCodes about the problem. As of yesterday only TP-LINK had released fixes for the vulnerability and provided a release schedule for about 40 products, it said.

Sometimes NetUSB can be disabled via the web interface, the SEC Consult advisory added, but at least on Netgear devices it tested the vulnerability wasn’t disabled. The consulting company says it was told by Netgear that there is no workaround available, that the TCP port can’t be firewalled nor is there a way to disable the service on their devices.

Manufacturers notified by CERT include ALLNET GmbH, Ambir Technologies, Asante, D-Link Systems Inc.,
Digitus,Edimax Computer Company, Encore Electronics, IOGEAR, LevelOne, Linksys, Longshine Networking, PROLiNK Fida Intl., TRENDnet, Western Digital Technologies and ZyXEL.

Network IT pros need to keep an eye out for patches or workarounds from vendors that attempt to resolve this problem.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web