Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.

Re:

[buchner.johannes]

It actually does not. You can even get faster performance with garbage collection.

Re:

[0123456]

It actually does not. You can even get faster performance with garbage collection.

Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware.

Re:

[EmeraldBot]

It actually does not. You can even get faster performance with garbage collection.

Yes, you can.... everywhere except in the real world. Garbage collection is one of the reasons iOS is much faster than Android on the same hardware .

Since when does Android run on iOS devices? It doesn't?

. . . . .

Then it's not the same hardware.

Re:

[ncc74656]

Since when does Android run on iOS devices? It doesn't?

At risk of being pedantic, there was a project years ago that got Android kinda-sorta working on the iPhone 3G. It was sluggish and drained your battery at an alarming rate because it didn't have any hardware-acceleration or power-management support, and it didn't let you make calls IIRC, but it was Android on an iPhone. It even set itself up in a dual-boot environment, so you could switch between Android and iOS. AFAIK, it was never developed into

Re:

[OrangeTide]

It's all ARMv8.

Re:

[SQLGuru]

And Windows Phone on the same hardware specs outperforms them all (which is why a $49 Nokia running WP is actually not a terrible experience)...........I'm pretty sure .Net has garbage collection.

Re:

[CSMoran]

Slashdot: Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking

TFA: Tiny list of router models affected.

FTFY

Re:

[CSMoran]

It would be "same thing" iff each of those models were used by one person, on average. Is it really what you are implying here?

Re:

[gweihir]

Fail.

Actually: Stop having people program C that do not know how to program securely in C. 0-terminated strings are fine in some contexts and not in others. The problem is people that cannot tell which is which.

Re:

[Pinky's Brain]

"Stop having people program C that do not know how to program securely in C"

Unfortunately we need more than handful of programmers ... we need the less able programmers, but we can't trust them with C.

A fact abundantly clear for 2 decades, yet C persists ... billions of dollars of unnecessary damages.

Re:

[gweihir]

I disagree. We do _not_ need the "cheap" programmers as what they write has negative worth. The reason C persists is simple: It is the best tool for quite a few jobs and it is a good tool in the hands of an expert. The damage caused is indeed unnecessary, but it is never a tool's fault when it is wielded incompetently.

NOT a kernel bug

[Lost Race]

This is some crappy proprietary firmware library for very low cost network devices. As TFA mentions, we can expect a lot more of these vulnerabilities in the "IoT".

Re:NOT a kernel bug

[Dagger2]

It may not be part of the mainline Linux kernel, but the "firmware library" here is a kernel module, so this bug is a kernel-mode remote execution vulnerability. Which... probably isn't that much worse than a userland vulnerability for this type of device, where everything typically runs as root anyway, but still.

Re:

[nevermore94]

These are not all necessarily "very low cost network devices". I have the Netgear R7000 which is in the list and at the time I bought it it was one of the highest rated and most expensive home WiFi routers available. Granted, these are not corporate infrastructure level devices, but they are certainly not all "very low cost" ones either.

Re:

[mattventura]

This is just yet another reason on the already long list of why I never use consumer routers. Between the awful specs, terrible proprietary firmwares, and swiss cheese security, I've decided to just use only repurposed hardware for routers. Almost anything past the P4 era can route at gigabit speeds without the need for "NAT accel" hardware (aka "our hardware is so slow that it needs NAT acceleration to do what a thrown-out PC can do"). That, or look for used professional gear.

Pretty much the only thing

DD-WRT / other open source router software?

[Bovius]

The advisory focuses on hardware brands - doesn't mention anything about aftermarket software. Anyone know?

DD-WRT no. Vuln. if proprietary & shares webca

[raymorris]

The vulnerable module appears to be proprietary, not open source, so dd-wrt and other open source firmware wouldn't include it.

If you have a router or similar device with a USB port which can be used to share USB printers and webcams, it's vulnerable. Sharing of USB STORAGE is done differently.

Millions

[StikyPad]

If by "millions" you mean "one or two with computer names longer than 64 characters." At least for external threats. For internal threats on public WiFi, the networks should always be presumed to be insecure. For private networks, you already control the devices that connect because you have a secure passphrase, right? Right?

Re:

[IMightB]

Not only that, but it appears that it needs to be internal (as in physical access), a name longer than 64 character PLUS connected via USB. I cannot think if too many instances where this is a mission critical combination.

This is what you get for not using Systemd

[Anonymous Coward]

Not surprised at all for trusting any services management with anything other than Systemd

Proprietary, not open source

[raymorris]

The buggy software is not open source. It is proprietary. I'll FTFY, updating your post to reflect that it's proprietary software:

Another day another MASSIVE security problem caused by proprietary software. I cannot wait for this shitty industry of crappy software written by crappy programmers hired by managers focused purely on profit to die the death it so richly deserves. This is going into my yearly talk I give at the local compsci department about why proprietary software should be SHUNNED, not embraced, by up and coming programmers. Not only does it cost us JOBS and INCOME potential, it demonstrably results in WORSE software.

More pointedly

[ThatsNotPudding]

You should also state (based on their response to this vulnerability), the institute will nullify their degree if they are found to be purchasing Netgear products.

Who needed it?

[Opportunist]

Seriously. NetUSB? On a router? WHY the devil would I want that?

But lemme guess: It was cheap to add, it was a feature that we can tack onto the "look, shiny!" list of things the router can do and people simply count down the "features" of a router whether they need them or even know what the fuck they are.

Meanwhile, it becomes near impossible to buy a router that is JUST THAT. A router. And in case you're wondering "hey, why would you want that when you can have $feature on top of it for FREE?", look no further than this exploit. Without the useless gadget that netUSB is, this exploit would not exist!

Re:

[wed128]

So...disable all the features you aren't using to minimize your threat surface?

Re:

[Opportunist]

I do. If that's possible at all. Besides, not always does "disabling" a service really render it secure against an exploit targeting it. That's the whole point behind an exploit, that whatever it attacks does not behave as it should.

Re:Who needed it?

[amorsen]

Seriously. NetUSB? On a router? WHY the devil would I want that?

Printer sharing. A problem that was solved well in the 80's and since re-solved slightly worse every few years. It is difficult to imagine a worse way than NetUSB, but I am sure there are developers out there with a better imagination than mine.

Re:

[drinkypoo]

It was solved in the 80s and then crapped on in the 90s in the name of making ever-cheaper disposable printers for the purpose of selling million-dollar ink cartridges and print heads.

Re:

[NJRoadfan]

NetUSB is used by some printer servers to allow use of USB only All-in-One printers and scanners over a network. I had to fix a setup once, and it was nothing but a buggy mess. The printer and its drivers were never designed to be used in a shared environment and the client machines needed some really ugly "Virtual USB" driver to fool the AIO's software into thinking it was directly connected to the machine. It worked sometimes, just never EVER try to print or scan from multiple machines at once.

Re:

[bmo]

>What was the solution in the 80s that you are referring to?

Ethernet.

Either it has wifi or an "RJ45" jack on the back or it's crap.

--
BMO

Re:

[_merlin]

There are lots of solutions:

• JetDirect - print server listens on a TCP socket, clients treat the socket the way they would a serial port with the same printer model attached. No job management or anything, but very simple to implement.
• AppleTalk PAP - printer requests data from client as it needs it, client polls printer for status. Printer status and job management are done in a standardised way for all printers. But it depends on obsolete protocols.
• lpr/lpd - the UNIX equivalent to AppleTalk PAP. Runs o

Re:

[chuckugly]

Yes, however the last time I was in Costco I looked at the cheap printers, and the $140 multifunction scanner, doc-feeder, photo ink-jet with duplexer (some fly by night outfit named HP made it) had a touch screen interface and WiFi.

So yeah, not seeing this as a really killer feature in a router. I guess that's why my router doesn't have a USB port.

OpenBSD

[Anonymous Coward]

They should be using OpenBSD in routers anyway.

pfsense for the win

[cyberjock1980]

Still glad I'm using my pfsense router.

I have no doubt that there are plenty of devices that suffer from this vulnerability and will never see a firmware update because they'd rather you "buy some shiny new hardware that will not have this vulnerability". Well, guess what? I bought my last 2 routers for that reason, and I shouldn't have to buy a new one every 2 years because the manufacturer went cheap-and-dirty.

NetUSB=proprietary. Is there an open replacement?

[Ungrounded Lightning]

It happens I could use remote USB port functionality.

(Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)

So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)

Re:

[mattventura]

Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).

Re:

[tbuskey]

Yes, Linux has USB/IP support. There's a kernel module to handle it on the Linux host, and there's a client driver available for Windows (although I'm not sure how well it works as I've never used it myself).

I had a need to get a USB scanner into a Windows 7 VM that I connected to via RDP. I put Linux USB/IP on a raspberry PI and plugged the scanner in. The Windows box got the client. I could scan. Problem solved.