The recent NetUSB flaw in routers was written up by almost every tech news organization, yet, much of the story was untold and some of what was written was flat out wrong. Here, and in my next blog, I hope to correct the record, provide additional information and offer some perspective and context to the problem.
The basic facts about the flaw are simple: some routers that share files and/or printers via a USB port are vulnerable to a software flaw that can certainly crash the router and possibly let malicious software run on it. The flaw was discovered by SEC Consult which wrote
NetUSB is a proprietary technology developed by the Taiwanese company KCodes, intended to provide 'USB over IP' functionality. USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated 'USB over IP' box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X ... The user experience is like that of a USB device physically plugged into a client system.
The bug is easily triggered, just give the NetUSB server some data longer than it expects. Truly bad coding.
Perhaps the biggest reporting mistake I saw was the list of vulnerable routers. The headline of one article suggested people check if their router is on the list. Another article referred to "the complete list of affected routers".
But, there is no comprehensive list of vulnerable routers.
In fact, there probably never will be.
The list published by SEC Consult is woefully incomplete, a fact they clearly explained.
The flaw is in code written by KCodes Technology and only they know who they have licensed it to. And, they are not saying anything; they did not co-operate with SEC Consult.
What SEC Consult did then, was to look in a file called "NetUSB.info", which is part of the Windows driver setup. The file had references to 26 vendors. It is assumed that these companies have licensed the vulnerable NetUSB software from KCodes. But again, that is an assumption, as is the fact that the list is complete.
Of these 26 companies, SEC Consult examined the firmware (router operating system) from five of them: D-Link, NETGEAR, TP-LINK, TRENDnet and ZyXEL. Each was found to have a least one router that included the KCodes software. In all, these five companies appear to have 92 routers with the KCodes NetUSB software.
As for the other companies, SEC Consult "did not check the firmware of the remaining 21 vendors." Those companies are: Allnet, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, EDIMAX, Encore Electronics, Engenius, Etop, Hardlink, Hawking, IOGEAR, LevelOne, Longshine, PCI, PROLiNK, Sitecom, Taifa and Western Digital.
The number of routers that SEC Consult confirmed were vulnerable was three. The other 89 just had their firmware downloaded and scanned.
For the most part, to check whether a router is vulnerable, you need to either check with the company that made it, or test it yourself. Part 2 will cover testing a router.
TP-LINK, after being notified by SEC Consult of the NetUSB problem, fixed the problem faster than any other company. That said, TP-LINK, like other makers of consumer routers, drops support for their routers after a while. Thus, while they were very quick to fix their supported devices, it is possible that older models have the flaw too and won't be fixed.
This brings up an important point - if your router is no longer being supported with updated firmware, the Defensive Computing thing to do is to get a new router.
Lucian Constantin wrote in PC World that NETGEAR and ZyXEL have confirmed the flaw and are working on fixes.
My favorite router vendor, Peplink, posted a note on their Announcements forum saying they have "verified and confirmed that none of our devices make use of KCodes NetUSB, therefore we are unaffected by this vulnerability."
According to a forum posting, DD-WRT also does not use NetUSB.
Linksys was not in the list of companies that appear to license NetUSB software from KCodes. A search of their tech support site for "NetUSB" came up empty.
Asus too, was not on the list and their tech support site also has nothing about NetUSB. But, if you are doing file sharing on an Asus router you really need to be using the latest firmware. In early 2014 they had two serious issues in this area. One involved an easily exploited flaw and the other FTP defaults that were terribly insecure.
D-Link had a single router, the DIR-615C, appear on the list. Searching their support site for NetUSB turned up nothing. Searching the support page for the DIR-615 also turned up nothing about NetUSB.
Update: June 23, 2015. D-Link did issue a Security Advisory that says "D-Link does not currently deploy products utilizing KCodes. All D-Link routers that deploy Shareport Mobile or mydlink Shareport are not affected ... Upon researching our product-line source code we have identified the legacy model DIR-685 as being affected." Despite saying this, they issued new firmware to fix the NetUSB flaw for multiple routers (such as the DIR-632 and DIR-825).
Searching NETGEAR's support site for NetUSB, turned up a Product Vulnerability Advisory (last updated June 12th) that says "If your router supports ReadySHARE Print feature, your router is affected." For good luck, they also list 40 models known to be vulnerable.
NETGEAR was one of the first companies contacted by SEC Consult. They have known about the NetUSB flaw since March 19, 2015. Yet they are not planning on releasing bug fixes until July. Owners of NETGEAR routers may want to insure the devices are registered, because the company plans on sending email notices when updated firmware is available.
ZyXEL had four routers on the list of 92. They posted a very visible announcement about NetUSB on their website that says they will release updated firmware for all four models on June 18, 2015. They also note that no other ZyXEL devices are affected.
Eight routers will have new firmware released between June 24th and July 20th (there is a definite date for each router). Two routers will be fixed, but the date has not yet been determined. Three routers cited by SEC Consult are not vulnerable because the buggy software is not present. Interesting.
IS A ROUTER VULNERABLE
As noted above, the only routers vulnerable to the NetUSB flaw are those that share files or printers via a USB port. So, if your router has no USB port, you are safe.
That said, not all USB ports are used for device sharing. My Peplink Surf SOHO has a USB port that can only be used for a 3G/4G/LTE antenna. It does not do file or printer sharing from the USB port.
And, not all routers that offer file sharing via USB use the vulnerable KCodes software. DD-WRT, for example, claims to use software from the USB/IP Project.
If a router does use the NetUSB software, it may well be vulnerable even if the USB port is empty.
Next time: how to test a router for the presence of NetUSB, how to mitigate the problem on vulnerable routers, and some perspective.
Update: Published June 20, 2015 The NetUSB router flaw Part 2 - Detection and Mitigation