Lucene search

CERTVU:177092

HistoryMay 19, 2015 - 12:00 a.m.

KCodes NetUSB kernel driver is vulnerable to buffer overflow

2015-05-1900:00:00

www.kb.cert.org

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.345 Low

EPSS

Percentile

97.1%

JSON

Overview

KCodes NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution.

Description

KCodes NetUSB is a Linux kernel module that provides USB over IP. It is used to provide USB device sharing on a home user network.

CWE-120**: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) -**CVE-2015-3036

According to the reporter, computer client data provided when connecting to the NetUSB server is not properly validated by the driver before processing, resulting in a buffer overflow that may lead to a denial of service or code execution. More information can be found in SEC Consult’s advisory.

The NetUSB driver provided by KCodes has been integrated into several vendors’ products. For more information, please see the Vendor Information section below.

CERT/CC has been unable to confirm this information directly with KCodes.

Impact

According to the reporter, an unauthenticated attacker on the local network can trigger a buffer overflow that may result in a denial of service or code execution. Some device default configurations may allow a remote attacker as well.

Solution

Update the firmware

Refer to the Vendor Information section below and contact your vendor for firmware update information.

Affected users may also consider the following workarounds:

Disable device sharing

Consult your device’s vendor and documentation as some devices may allow disabling the USB device sharing service on your network.

Block port 20005

Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.

Vendor Information

177092

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

D-Link Systems, Inc. __ Affected

Notified: April 10, 2015 Updated: May 22, 2015

Statement Date: May 21, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Several models are affected, included DIR-685 Rev. A1. An updated firmware is expected out by the end of May 2015 or sooner. For full list of affected models, please see the vendor advisory at the link below.

The current shipping product-line which deploys Shareport Mobile or mydlink Shareport are not affected by this vulnerability.

Vendor References

<http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10057>

KCodes Affected

Notified: April 06, 2015 Updated: April 08, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Netgear, Inc. __ Affected

Notified: April 10, 2015 Updated: June 05, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Netgear calls the USB-over-IP feature “ReadySHARE” (<http://www.netgear.com/readyshare>). For more details, see Netgear’s advisory at the URL below.

The reporter has also identified the latest firmware for NETGEAR WNDR4500 as being affected. Others models may also be vulnerable.

Vendor References

<http://kb.netgear.com/app/answers/detail/a_id/28393/~/netgear-product-vulnerability-advisory%3A-readyshare>

TP-LINK __ Affected

Notified: April 10, 2015 Updated: May 18, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor is in the process of releasing updated firmware addressing this vulnerability. Below is a list of affected devices, sent by the vendor to the reporter; CERT/CC has not been able to confirm this list directly with the vendor:

DSL Modem Routers

(Model Number)

| Hardware Version| Release Date
—|—|—
Archer VR200v| V1.0| Already released
TD-W8970 | V3.0| Already released
TD-W9980 | V1.0| Already released
Archer D2 | V1.0| Before 2015/05/22
Archer D5| V1.0| Before 2015/05/25
Archer D7 | V1.0| Before 2015/05/25
Archer D9 | V1.0| Before 2015/05/25
TD-W8968 | V3.0| Before 2015/05/25
TD-W8980 | V3.0| Before 2015/05/25
TD-W8968 | V1.0| Before 2015/05/30
TD-W8968 | V2.0| Before 2015/05/30
TD-VG3631 | V1.0| Before 2015/05/30
TD-W8970 | V1.0| Before 2015/05/30
TD-W8970B | V1.0| Before 2015/05/30
TD-W8980B | V1.0| Before 2015/05/30
TD-W9980B | V1.0| Before 2015/05/30
Archer D7B| V1.0| Before 2015/05/31
TD-VG3631| V1.0| Before 2015/05/31
TX-VG1530(GPON)| V1.0| Before 2015/05/31
TD-VG3511| V1.0| End-Of-Life

Wireless Routers

(Model Number)

| Hardware Version| Release Date
—|—|—
Archer C20| V1.0| Not affected
Archer C7| V2.0| Already released
Archer C2 | V1.0| Before 2015/05/22
Archer C5 | V1.2| Before 2015/05/22
Archer C9 | V1.0| Before 2015/05/22
TL-WR3500| V1.0| Before 2015/05/22
TL-WR3600 | V1.0| Before 2015/05/22
TL-WR4300 | V1.0| Before 2015/05/22
Archer C20i | V1.0| Before 2015/05/25
Archer C5 | V2.0| Before 2015/05/30
Archer C7 | V1.0| Before 2015/05/30
Archer C8 | V1.0| Before 2015/05/30
TL-WR842ND | V2.0| Before 2015/05/30
TL-WR1043ND | V2.0| Before 2015/05/30
TL-WR1043ND | V3.0| Before 2015/05/30
TL-WR1045ND | V2.0| Before 2015/05/30
TL-WR842ND| V1.0| End-Of-Life
TD-W1042ND| V1.0| End-Of-Life
TD-W1043ND| V1.0| End-Of-Life
TD-WDR4900| V1.0| End-Of-Life