SentinelLabs finds NetUSB vulnerability in millions of routers

Get a free Techzine subscription!

SentinelLabs discovered a severe vulnerability in NetUSB. Millions of routers run on the module worldwide.

NetUSB allows USB devices connected to routers to be controlled by other network devices. Printers are an example. When connecting a printer to a router via USB, NetUSB enables a desktop (or another connected device) to control the printer. Major vendors such as Netgear, TP-Link, D-Link and Western Digital have used NetUSB in their modem and router software. The module is present in millions of devices.

Max van Amerongen, security researcher at SentinelLabs, found a vulnerability in NetUSB. The module is susceptible to integer overflows and remote code execution (RCE). Months back, SentinelLabs raised the issue with all major vendors. Today, the organization discloses the vulnerability’s inner workings.

How does it work?

NetUSB works as an interpreter of the software of two devices. It boots when a client (for example, a desktop) tries to connect to a USB device (for example, a printer). The devices exchange authentication information, after which NetUSB initiates a code loop. The loop carries a command from one device, translates and sends the command to the other device. In this way, NetUSB provides USB functionality over a network.

Suppose you send a printing task from a desktop to a printer connected to a router. The task essentially consists of a series of commands, formulated in hexadecimal. NetUSB’s code translates each command to a format readable by the printer.

To execute a translated command, the printer must make sufficient memory available. Therefore, NetUSB creates a buffer. The application always adds 0x11 (hexadecimal) to a command. That step causes the vulnerability in question. If the sum of 0x11 and the initial command exceeds the maximum hexadecimal specified by the protocol, the buffer creates an integer overflow.

Am I at risk?

The vulnerability is undoubtedly exploitable, but the chances of large-scale abuse are small. The integer overflow is limited to a small portion of NetUSB’s code. Although that portion can be manipulated, SentinelLabs can or will not say how the misstep ultimately leads to the misuse of a device.

In addition, the use of NetUSB diminishes as printers modernize. Newer models have direct network connectivity options, which reduces the need for USB connections to routers. Simply put, NetUSB sees less use with every passing year, lessening the severity of the issue at hand.

Nonetheless, SentinelLabs saw reason to sound the alarm. After all, integer overflows can be conjured at will. Even though the usage of NetUSB is dwindling, the software remains in use by millions of devices. More importantly: a single intervention eliminates the threat.

The solution

The integer overflow can only be caused by gigantic, unrealistically large numbers. Thus, SentinelLabs advised the developer of NetUSB (KCodes) to reject commands with unrealistically large numbers. The solution is as simple as adding a single line of conditional code: if(user_supplied_size + 0x11 < 0x11) return.

KCodes complied. Two weeks after SentinelLabs’ message, the organization developed a patch. On November 19, 2021, KCodes sent the patch to all vendors using NetUSB. Netgear, one of the vendors, processed the patch on December 14, 2021. The organization pushed a firmware update for all affected devices: the D7800 (from 2015), R6400v2 (2016) and R6700v3 (2019). TP-Link responded as well. The organization published patches for the C7, C1200, C5400X, MR3420, WR842N and VR2800.

If you use devices from Netgear and TP-Link, we recommend an immediate firmware update. If you use equipment from the other vendors, the solution is less obvious. We asked D-Link and Western Digital whether a patch is available or in development. The local branch of Western Digital indicates that the organization will not provide statements on this issue. The local branch of D-Link has forwarded the question to colleague’s that are able to speak on the matter. We will update this article as soon as we receive their response.

Tip: SentinelOne exposes vulnerabilities in Oracle VirtualBox