search menu icon-carat-right cmu-wordmark

CERT Coordination Center


KCodes NetUSB kernel driver is vulnerable to buffer overflow

Vulnerability Note VU#177092

Original Release Date: 2015-05-19 | Last Revised: 2015-06-05

Overview

KCodes NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution.

Description

KCodes NetUSB is a Linux kernel module that provides USB over IP. It is used to provide USB device sharing on a home user network.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-3036

According to the reporter, computer client data provided when connecting to the NetUSB server is not properly validated by the driver before processing, resulting in a buffer overflow that may lead to a denial of service or code execution. More information can be found in SEC Consult's advisory.

The NetUSB driver provided by KCodes has been integrated into several vendors' products. For more information, please see the Vendor Information section below.

CERT/CC has been unable to confirm this information directly with KCodes.

Impact

According to the reporter, an unauthenticated attacker on the local network can trigger a buffer overflow that may result in a denial of service or code execution. Some device default configurations may allow a remote attacker as well.

Solution

Update the firmware

Refer to the Vendor Information section below and contact your vendor for firmware update information.

Affected users may also consider the following workarounds:

Disable device sharing

Consult your device's vendor and documentation as some devices may allow disabling the USB device sharing service on your network.

Block port 20005

Blocking port 20005 on the local network may help mitigate this attack by preventing access to the service.

Vendor Information

177092
Expand all

D-Link Systems, Inc.

Notified:  April 10, 2015 Updated:  May 22, 2015

Statement Date:   May 21, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Several models are affected, included DIR-685 Rev. A1. An updated firmware is expected out by the end of May 2015 or sooner. For full list of affected models, please see the vendor advisory at the link below.

The current shipping product-line which deploys Shareport Mobile or mydlink Shareport are not affected by this vulnerability.

Vendor References

http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10057

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KCodes

Notified:  April 06, 2015 Updated:  April 08, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netgear, Inc.

Notified:  April 10, 2015 Updated:  June 05, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Netgear calls the USB-over-IP feature "ReadySHARE" (http://www.netgear.com/readyshare). For more details, see Netgear's advisory at the URL below.

The reporter has also identified the latest firmware for NETGEAR WNDR4500 as being affected. Others models may also be vulnerable.

Vendor References

http://kb.netgear.com/app/answers/detail/a_id/28393/~/netgear-product-vulnerability-advisory%3A-readyshare

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TP-LINK

Notified:  April 10, 2015 Updated:  May 18, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor is in the process of releasing updated firmware addressing this vulnerability. Below is a list of affected devices, sent by the vendor to the reporter; CERT/CC has not been able to confirm this list directly with the vendor:

DSL Modem Routers

(Model Number)

Hardware VersionRelease Date
Archer VR200vV1.0Already released
TD-W8970 V3.0Already released
TD-W9980 V1.0Already released
Archer D2 V1.0Before 2015/05/22
Archer D5V1.0Before 2015/05/25
Archer D7 V1.0Before 2015/05/25
Archer D9 V1.0Before 2015/05/25
TD-W8968 V3.0Before 2015/05/25
TD-W8980 V3.0Before 2015/05/25
TD-W8968 V1.0Before 2015/05/30
TD-W8968 V2.0Before 2015/05/30
TD-VG3631 V1.0Before 2015/05/30
TD-W8970 V1.0Before 2015/05/30
TD-W8970B V1.0Before 2015/05/30
TD-W8980B V1.0Before 2015/05/30
TD-W9980B V1.0Before 2015/05/30
Archer D7BV1.0Before 2015/05/31
TD-VG3631V1.0Before 2015/05/31
TX-VG1530(GPON)V1.0Before 2015/05/31
TD-VG3511V1.0End-Of-Life

 

Wireless Routers

(Model Number)

Hardware VersionRelease Date
Archer C20V1.0Not affected
Archer C7V2.0Already released
Archer C2 V1.0Before 2015/05/22
Archer C5 V1.2Before 2015/05/22
Archer C9 V1.0Before 2015/05/22
TL-WR3500V1.0Before 2015/05/22
TL-WR3600 V1.0Before 2015/05/22
TL-WR4300 V1.0Before 2015/05/22
Archer C20i V1.0Before 2015/05/25
Archer C5 V2.0Before 2015/05/30
Archer C7 V1.0Before 2015/05/30
Archer C8 V1.0Before 2015/05/30
TL-WR842ND V2.0Before 2015/05/30
TL-WR1043ND V2.0Before 2015/05/30
TL-WR1043ND V3.0Before 2015/05/30
TL-WR1045ND V2.0Before 2015/05/30
TL-WR842NDV1.0End-Of-Life
TD-W1042NDV1.0End-Of-Life
TD-W1043NDV1.0End-Of-Life
TD-WDR4900V1.0End-Of-Life

The exact release date may change due to some unexpected incidents.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TRENDnet

Notified:  April 10, 2015 Updated:  May 27, 2015

Statement Date:   May 27, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Several TRENDnet models are affected, please see the security advisory below.

Vendor References

http://www.trendnet.com/support/view.asp?cat=4&id=58

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  April 10, 2015 Updated:  May 22, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Updates are expected in June. List of models affected currently unavailable.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ambir Technologies

Notified:  April 10, 2015 Updated:  May 21, 2015

Statement Date:   May 21, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to an Ambir representative, "We have no products that use the Kcodes technology or products nor do we resell Kcodes products."

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Peplink

Updated:  June 01, 2015

Statement Date:   June 01, 2015

Status

  Not Affected

Vendor Statement

"Peplink has verified and confirmed that none of our devices make use of KCodes NetUSB, therefore we are unaffected by this vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://forum.peplink.com/threads/4880-Unaffected-Security-Notice-for-KCodes-NetUSB-Vulnerability-CVE-2015-3036

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ALLNET GmbH

Notified:  April 15, 2015 Updated:  April 15, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Asante

Notified:  April 15, 2015 Updated:  April 15, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco

Notified:  April 29, 2015 Updated:  April 29, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Digitus

Notified:  April 15, 2015 Updated:  April 15, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Edimax Computer Company

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Encore Electronics

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IOGEAR

Notified:  April 15, 2015 Updated:  April 15, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LevelOne

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys

Notified:  April 29, 2015 Updated:  April 29, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Longshine Networking

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PROLiNK Fida Intl

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Western Digital Technologies

Notified:  April 10, 2015 Updated:  April 10, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 5.7 AV:A/AC:M/Au:N/C:N/I:N/A:C
Temporal 4.9 E:POC/RL:W/RC:C
Environmental 3.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Stefan Viehboeck of SEC Consult Vulnerability Lab for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-3036
Date Public: 2015-05-19
Date First Published: 2015-05-19
Date Last Updated: 2015-06-05 14:54 UTC
Document Revision: 95

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.