search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

KCodes NetUSB kernel driver is vulnerable to buffer overflow

Vulnerability Note VU#177092

Original Release Date: 2015-05-19 | Last Revised: 2015-06-05

Overview

KCodes NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution.

Description

KCodes NetUSB is a Linux kernel module that provides USB over IP. It is used to provide USB device sharing on a home user network.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-3036

According to the reporter, computer client data provided when connecting to the NetUSB server is not properly validated by the driver before processing, resulting in a buffer overflow that may lead to a denial of service or code execution. More information can be found in SEC Consult's advisory.

The NetUSB driver provided by KCodes has been integrated into several vendors' products. For more information, please see the Vendor Information section below.

CERT/CC has been unable to confirm this information directly with KCodes.

Impact

According to the reporter, an unauthenticated attacker on the local network can trigger a buffer overflow that may result in a denial of service or code execution. Some device default configurations may allow a remote attacker as well.

Solution

Update the firmware

Refer to the Vendor Information section below and contact your vendor for firmware update information.

Affected users may also consider the following workarounds:

Disable device sharing

Consult your device's vendor and documentation as some devices may allow disabling the USB device sharing service on your network.

Block port 20005

Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.

Vendor Information

177092
 
Expand all

D-Link Systems, Inc. Affected

Notified:  April 10, 2015 Updated: May 22, 2015

Statement Date:   May 21, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Several models are affected, included DIR-685 Rev. A1. An updated firmware is expected out by the end of May 2015 or sooner. For full list of affected models, please see the vendor advisory at the link below.

The current shipping product-line which deploys Shareport Mobile or mydlink Shareport are not affected by this vulnerability.

Vendor References

KCodes Affected

Notified:  April 06, 2015 Updated: April 08, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Netgear, Inc. Affected

Notified:  April 10, 2015 Updated: June 05, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Netgear calls the USB-over-IP feature "ReadySHARE" (http://www.netgear.com/readyshare). For more details, see Netgear's advisory at the URL below.

The reporter has also identified the latest firmware for NETGEAR WNDR4500 as being affected. Others models may also be vulnerable.

Vendor References

TP-LINK Affected

Notified:  April 10, 2015 Updated: May 18, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor is in the process of releasing updated firmware addressing this vulnerability. Below is a list of affected devices, sent by the vendor to the reporter; CERT/CC has not been able to confirm this list directly with the vendor:

DSL Modem Routers

(Model Number)

Hardware VersionRelease Date
Archer VR200vV1.0Already released
TD-W8970 V3.0Already released
TD-W9980 V1.0Already released
Archer D2 V1.0Before 2015/05/22
Archer D5V1.0Before 2015/05/25
Archer D7 V1.0Before 2015/05/25
Archer D9 V1.0Before 2015/05/25
TD-W8968 V3.0Before 2015/05/25
TD-W8980 V3.0Before 2015/05/25
TD-W8968 V1.0Before 2015/05/30
TD-W8968 V2.0Before 2015/05/30
TD-VG3631 V1.0Before 2015/05/30
TD-W8970 V1.0Before 2015/05/30
TD-W8970B V1.0Before 2015/05/30
TD-W8980B V1.0Before 2015/05/30
TD-W9980B V1.0Before 2015/05/30
Archer D7BV1.0Before 2015/05/31
TD-VG3631V1.0Before 2015/05/31
TX-VG1530(GPON)V1.0Before 2015/05/31
TD-VG3511V1.0End-Of-Life

 

Wireless Routers

(Model Number)

Hardware VersionRelease Date
Archer C20V1.0Not affected
Archer C7V2.0Already released
Archer C2 V1.0Before 2015/05/22
Archer C5 V1.2Before 2015/05/22
Archer C9 V1.0Before 2015/05/22
TL-WR3500V1.0Before 2015/05/22
TL-WR3600 V1.0Before 2015/05/22
TL-WR4300 V1.0Before 2015/05/22
Archer C20i V1.0Before 2015/05/25
Archer C5 V2.0Before 2015/05/30
Archer C7 V1.0Before 2015/05/30
Archer C8 V1.0Before 2015/05/30
TL-WR842ND V2.0Before 2015/05/30
TL-WR1043ND V2.0Before 2015/05/30
TL-WR1043ND V3.0Before 2015/05/30
TL-WR1045ND V2.0Before 2015/05/30
TL-WR842NDV1.0End-Of-Life
TD-W1042NDV1.0End-Of-Life
TD-W1043NDV1.0End-Of-Life
TD-WDR4900V1.0End-Of-Life

The exact release date may change due to some unexpected incidents.

TRENDnet Affected

Notified:  April 10, 2015 Updated: May 27, 2015

Statement Date:   May 27, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Several TRENDnet models are affected, please see the security advisory below.

Vendor References

ZyXEL Affected

Notified:  April 10, 2015 Updated: May 22, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Updates are expected in June. List of models affected currently unavailable.

Ambir Technologies Not Affected

Notified:  April 10, 2015 Updated: May 21, 2015

Statement Date:   May 21, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

According to an Ambir representative, "We have no products that use the Kcodes technology or products nor do we resell Kcodes products."

Peplink Not Affected

Updated:  June 01, 2015

Statement Date:   June 01, 2015

Status

Not Affected

Vendor Statement

"Peplink has verified and confirmed that none of our devices make use of KCodes NetUSB, therefore we are unaffected by this vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ALLNET GmbH Unknown

Notified:  April 15, 2015 Updated: April 15, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

    Asante Unknown

    Notified:  April 15, 2015 Updated: April 15, 2015

    Status

    Unknown

    Vendor Statement

    We have not received a statement from the vendor.

    Vendor References

      Cisco Unknown

      Notified:  April 29, 2015 Updated: April 29, 2015

      Status

      Unknown

      Vendor Statement

      We have not received a statement from the vendor.

      Vendor References

        Digitus Unknown

        Notified:  April 15, 2015 Updated: April 15, 2015

        Status

        Unknown

        Vendor Statement

        We have not received a statement from the vendor.

        Vendor References

          Edimax Computer Company Unknown

          Notified:  April 10, 2015 Updated: April 10, 2015

          Status

          Unknown

          Vendor Statement

          We have not received a statement from the vendor.

          Vendor References

            Encore Electronics Unknown

            Notified:  April 10, 2015 Updated: April 10, 2015

            Status

            Unknown

            Vendor Statement

            We have not received a statement from the vendor.

            Vendor References

              IOGEAR Unknown

              Notified:  April 15, 2015 Updated: April 15, 2015

              Status

              Unknown

              Vendor Statement

              We have not received a statement from the vendor.

              Vendor References

                LevelOne Unknown

                Notified:  April 10, 2015 Updated: April 10, 2015

                Status

                Unknown

                Vendor Statement

                We have not received a statement from the vendor.

                Vendor References

                  Linksys Unknown

                  Notified:  April 29, 2015 Updated: April 29, 2015

                  Status

                  Unknown

                  Vendor Statement

                  We have not received a statement from the vendor.

                  Vendor References

                    Longshine Networking Unknown

                    Notified:  April 10, 2015 Updated: April 10, 2015

                    Status

                    Unknown

                    Vendor Statement

                    We have not received a statement from the vendor.

                    Vendor References

                      PROLiNK Fida Intl Unknown

                      Notified:  April 10, 2015 Updated: April 10, 2015

                      Status

                      Unknown

                      Vendor Statement

                      We have not received a statement from the vendor.

                      Vendor References

                        Western Digital Technologies Unknown

                        Notified:  April 10, 2015 Updated: April 10, 2015

                        Status

                        Unknown

                        Vendor Statement

                        We have not received a statement from the vendor.

                        Vendor References

                          View all 20 vendors View less vendors


                          CVSS Metrics

                          Group Score Vector
                          Base 5.7 AV:A/AC:M/Au:N/C:N/I:N/A:C
                          Temporal 4.9 E:POC/RL:W/RC:C
                          Environmental 3.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                          References

                          Acknowledgements

                          Thanks to Stefan Viehboeck of SEC Consult Vulnerability Lab for reporting this vulnerability.

                          This document was written by Garret Wassermann.

                          Other Information

                          CVE IDs: CVE-2015-3036
                          Date Public: 2015-05-19
                          Date First Published: 2015-05-19
                          Date Last Updated: 2015-06-05 14:54 UTC
                          Document Revision: 96

                          Sponsored by CISA.

                          Download PGP Key

                          Read CERT/CC Blog

                          Learn about Vulnerability Analysis