A vulnerability that leaves millions of routers and other Internet connected devices open to remote hacking and similar cyberattacks has been discovered.
Stefan Viehbock of SEC Consult Vulnerability Lab explained in his blog that a piece of proprietary software developed in Taiwan, called NetUSB, is the root of the security flaw.
NetUSB provides network access between USB devices such as printers or external hard drives and Linux-based embedded systems like routers and other access points. However, Viehbock discovered during the authentication check which occurs before establishing a connection that a significant vulnerability is present.
“As part of the connection initiation, the client sends his computer name,” he explains. “This is where it gets interesting: The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. All the server code runs in kernel mode, so this is a 'rare' remote kernel stack buffer overflow.”
Stack buffer overflow flaws can cause programs to malfunction or crash, but can also be used to perform a deliberate cyberattack. It is possible to corrupt the stack by injecting malicious code into the program and gain control of the device remotely.
TP-Link, a manufacturer that uses the NetUSB software component, has already issued a security patch for 40 of its devices, but products being sold by other companies are also affected. Viehbock has released an advisory where he lists a number of vendors that could be at risk, including Netgear, TrendNet and Western Digital.
If your device has not had a patch issued for it, it may be possible to disable the NetUSB software using a web interface. In the meantime, KCodes, the developers behind NetUSB, have reportedly been unreceptive to the security concerns raised.