Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Executive summary

KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.

The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos reached out to KCodes and NETGEAR regarding this vulnerability. After working with KCodes, they provided an update to NETGEAR, which is scheduled to release an update. Talos decided to release the details of our vulnerability after surpassing our 90-day deadline.

Vulnerability details

KCodes NetUSB unauthenticated remote kernel arbitrary memory read vulnerability (TALOS-2018-0775/CVE-2019-5016)

An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

KCodes NetUSB unauthenticated remote kernel information disclosure vulnerability (TALOS-2018-0776/CVE-2019-5017)

An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that TALOS-2019-0776 and TALOS-2019-0775 affects the NETGEAR Nighthawk AC3200 (R8000), firmware version 1.0.4.28_10.1.54 — NetUSB.ko 1.0.2.66. The NETGEAR Nighthawk AC3000 (R7900), firmware version 1.0.3.8_10.0.37 (11/1/18) — NetUSB.ko 1.0.2.69 is also affected by TALOS-2019-0775.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49087