CVE-2015-3036: Remote Command Execution On Millions Of Routers Via USB

Austrian researcher Stefan Viehbock has found that the USB port in a high number of modern routers is prone to a condition in which an attacker would be able to execute commands remotely on the vulnerable router. This exploit takes advantage of NetUSB, a Linux kernel module that allows users to connect USB devices to the routers, making them available on a network. This module can be found on routers from vendors such as Zyxel, TP-Link, D-Link and Netgear, just to name a few. The vulnerability is based on the classic concept of overflowing a buffer with more data than it is able to accept, therefore producing an overflow in which arbitrary code can be injected into memory and executed at a kernel level.

More concretely, this can be achieved when a client on the network sends the computer name to the NetUSB server on port 20005/TCP in an attempt to establish communication. In order for the vulnerable module to be successfully exploited, the attack has to send a client computer name that is longer than 64 characters, which is the maximum length allowed by NetUSB. When NetUSB receives an unexpectedly longer client computer name, the stack is overflowed. This results in the memory being corrupted, which essentially is translated into arbitrary remote code being executed by injecting a shellcode, or to a Denial of Service condition if execution of the shellcode is unsuccessful.

It should be noted that NetUSB is enabled on mostly all routers with a USB port, and the service is even running when USB devices are not connected.

In order to be able to connect to the server, authentication is needed, however this would not be a concern for an experimented attacker; the AES key that is needed can be found in both the client software and in the server.

As NetUSB is essentially a kernel module; an attacker who is able to exploit the service successfully would also be able to execute his or her shellcode, or arbitrary code with the highest possible privilege on the device, which means at the core level of the compromised router. A real-live scenario of a successful exploitation involves installing malware that allows the attacker to be in complete control of the exploited router, making it, for example, part of a botnet, installing spyware, ransomware and a plethora of other network-based attacks.

In order for the issue to be mitigated (and as NetUSB is likely to be enabled even if a USB device is not connected as mentioned above), manual user intervention is required for the functionality to be disabled. Also, port 20005 should be filtered at the firewall. Although performing these countermeasures will work in most cases, NetUSB will not be disabled on some devices such as Netgear, as according to the vendor, it is not possible to either filter port 20005/TCP or to disable the router’s USB capabilities manually.

Lastly, it is highly recommended that the device's firmware is updated to the latest version available, as vendors are now starting to release security updates in order to prevent NetUSB from being exploited in the wild.