KCodes NetUSB Security Flaw Found In Many Routers

Early last week a security vulnerability was disclosed in KCodes NetUSB. This is a Linux module that is provided as part of the operating system that runs within the router. It allows the sharing of USB services across your local network (i.e. to devices that are connected to your router). These devices could be external hard disks (for media sharing), webcams, printers etc.

The flaw within the KCodes module is a buffer overflow that can be exploited by connecting a computer which has a host name longer than 64 characters. Since this module runs in kernel mode (it’s a kernel driver) once the buffer overflow occurs, the attacker can then use this flaw to execute code or a denial of service.

For a list of affected routers, please see this SEC Consult security advisory and this CERT advisory. At the time of writing TP-Link has released updated firmware for some of their routers with further models to receive updates in the future (a timeline is presented in the aforementioned SEC Consult security advisory). In addition, Netgear is working to address this flaw in its affected products and plans to make updates available in July for this purpose.

How I can defend against/mitigate this attack?
While updates are pending, please ensure that your routers administrative interface (usually accessible via a web browser) is protected with a strong password. In addition, on some models of router it may be possible to disable the sharing of USB devices on the network. In the case of Netgear routers’ disabling this sharing feature has no effect. For all other routers that have this feature preventing access to the sharing service by blocking access to TCP port 20005 (from your local internal network using the routers firewall) will mitigate this vulnerability.

Update: 29th May 2015:
D-Link have made available a security advisory for this issue with a timeline for firmware updates that are currently under development. If you own a D-Link router, please check if your model is affected and take the necessary action (if applicable).

Finally I would recommend monitoring the relevant websites of your routers’ manufacturer for firmware updates that address this flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.