10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.345 Low
EPSS
Percentile
97.1%
KCodes NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution.
KCodes NetUSB is a Linux kernel module that provides USB over IP. It is used to provide USB device sharing on a home user network.
CWE-120**: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) -**CVE-2015-3036
According to the reporter, computer client data provided when connecting to the NetUSB server is not properly validated by the driver before processing, resulting in a buffer overflow that may lead to a denial of service or code execution. More information can be found in SEC Consult’s advisory.
The NetUSB driver provided by KCodes has been integrated into several vendors’ products. For more information, please see the Vendor Information section below.
CERT/CC has been unable to confirm this information directly with KCodes.
According to the reporter, an unauthenticated attacker on the local network can trigger a buffer overflow that may result in a denial of service or code execution. Some device default configurations may allow a remote attacker as well.
Update the firmware
Refer to the Vendor Information section below and contact your vendor for firmware update information.
Affected users may also consider the following workarounds:
Disable device sharing
Consult your device’s vendor and documentation as some devices may allow disabling the USB device sharing service on your network.
Block port 20005
Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.
177092
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 10, 2015 Updated: May 22, 2015
Statement Date: May 21, 2015
Affected
We have not received a statement from the vendor.
Several models are affected, included DIR-685 Rev. A1. An updated firmware is expected out by the end of May 2015 or sooner. For full list of affected models, please see the vendor advisory at the link below.
The current shipping product-line which deploys Shareport Mobile or mydlink Shareport are not affected by this vulnerability.
Notified: April 06, 2015 Updated: April 08, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 10, 2015 Updated: June 05, 2015
Affected
We have not received a statement from the vendor.
Netgear calls the USB-over-IP feature “ReadySHARE” (<http://www.netgear.com/readyshare>). For more details, see Netgear’s advisory at the URL below.
The reporter has also identified the latest firmware for NETGEAR WNDR4500 as being affected. Others models may also be vulnerable.
Notified: April 10, 2015 Updated: May 18, 2015
Affected
We have not received a statement from the vendor.
The vendor is in the process of releasing updated firmware addressing this vulnerability. Below is a list of affected devices, sent by the vendor to the reporter; CERT/CC has not been able to confirm this list directly with the vendor:
DSL Modem Routers
(Model Number)
| Hardware Version| Release Date
—|—|—
Archer VR200v| V1.0| Already released
TD-W8970 | V3.0| Already released
TD-W9980 | V1.0| Already released
Archer D2 | V1.0| Before 2015/05/22
Archer D5| V1.0| Before 2015/05/25
Archer D7 | V1.0| Before 2015/05/25
Archer D9 | V1.0| Before 2015/05/25
TD-W8968 | V3.0| Before 2015/05/25
TD-W8980 | V3.0| Before 2015/05/25
TD-W8968 | V1.0| Before 2015/05/30
TD-W8968 | V2.0| Before 2015/05/30
TD-VG3631 | V1.0| Before 2015/05/30
TD-W8970 | V1.0| Before 2015/05/30
TD-W8970B | V1.0| Before 2015/05/30
TD-W8980B | V1.0| Before 2015/05/30
TD-W9980B | V1.0| Before 2015/05/30
Archer D7B| V1.0| Before 2015/05/31
TD-VG3631| V1.0| Before 2015/05/31
TX-VG1530(GPON)| V1.0| Before 2015/05/31
TD-VG3511| V1.0| End-Of-Life
Wireless Routers
(Model Number)
| Hardware Version| Release Date
—|—|—
Archer C20| V1.0| Not affected
Archer C7| V2.0| Already released
Archer C2 | V1.0| Before 2015/05/22
Archer C5 | V1.2| Before 2015/05/22
Archer C9 | V1.0| Before 2015/05/22
TL-WR3500| V1.0| Before 2015/05/22
TL-WR3600 | V1.0| Before 2015/05/22
TL-WR4300 | V1.0| Before 2015/05/22
Archer C20i | V1.0| Before 2015/05/25
Archer C5 | V2.0| Before 2015/05/30
Archer C7 | V1.0| Before 2015/05/30
Archer C8 | V1.0| Before 2015/05/30
TL-WR842ND | V2.0| Before 2015/05/30
TL-WR1043ND | V2.0| Before 2015/05/30
TL-WR1043ND | V3.0| Before 2015/05/30
TL-WR1045ND | V2.0| Before 2015/05/30
TL-WR842ND| V1.0| End-Of-Life
TD-W1042ND| V1.0| End-Of-Life
TD-W1043ND| V1.0| End-Of-Life
TD-WDR4900| V1.0| End-Of-Life
The exact release date may change due to some unexpected incidents.
Notified: April 10, 2015 Updated: May 27, 2015
Statement Date: May 27, 2015
Affected
We have not received a statement from the vendor.
Several TRENDnet models are affected, please see the security advisory below.
Notified: April 10, 2015 Updated: May 22, 2015
Affected
We have not received a statement from the vendor.
Updates are expected in June. List of models affected currently unavailable.
Notified: April 10, 2015 Updated: May 21, 2015
Statement Date: May 21, 2015
Not Affected
We have not received a statement from the vendor.
According to an Ambir representative, “We have no products that use the Kcodes technology or products nor do we resell Kcodes products.”
Updated: June 01, 2015
Statement Date: June 01, 2015
Not Affected
“Peplink has verified and confirmed that none of our devices make use of KCodes NetUSB, therefore we are unaffected by this vulnerability.”
We are not aware of further vendor information regarding this vulnerability.
Notified: April 15, 2015 Updated: April 15, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 15, 2015 Updated: April 15, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2015 Updated: April 29, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 15, 2015 Updated: April 15, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 15, 2015 Updated: April 15, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2015 Updated: April 29, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 10, 2015 Updated: April 10, 2015
Unknown
We have not received a statement from the vendor.
View all 20 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.7 | AV:A/AC:M/Au:N/C:N/I:N/A:C |
Temporal | 4.9 | E:POC/RL:W/RC:C |
Environmental | 3.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Stefan Viehboeck of SEC Consult Vulnerability Lab for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-3036 |
---|---|
Date Public: | 2015-05-19 Date First Published: |