Another day, another software supply chain exploit. This time, Zytel and D-Link have confirmed that their routers have the bug, but researchers think products from Netgear, TP-Link, Trendnet and other vendors are vulnerable. Already 90 plus products from more than 20 vendors have been potentially identified as vulnerable. Only TP-Link has announced a patch. The bug allows you to take control of the device in kernel mode. Anyone taking bets that most owners will not patch this (see article and article)?
The feature, NetUSB, allows users of an affected device to share a USB device over the network. For some implementations, the sharing is only allowed on the local network, but other implementations may allow sharing over the Internet. Still, that means that if you infect any device on the local network, you can take over the vulnerable router or other device.
Some manufacturers allow you to turn off the feature, but others do not.
The buggy software was bought from Taiwan based KCodes Technology. What it takes to initiate the takeover is to connect to the affected device with a computer name longer than 64 characters. This causes a buffer overflow and the rest is history. That sounds hard, huh?
This is a supply chain problem because vendors like TP-Link (the only one that has released a patch so far) thought this was a nifty feature, so they bought the Linux software from KCodes, probably for very little money. They did not do an extensive vulnerability assessment of the software – probably just looked at the sales flyer and tested it to see that it worked as described.
Netgear products, which are affected, calls the feature ReadySHARE, says they will release a patch this fall, but they have not announced specifically which products are vulnerable. I am sure that hackers will be very patient and wait until after that patch is released this fall and you install the fix to attempt to exploit it. NOT!
Oh, yeah, for at least Netgear devices, the feature cannot be disabled – even if disabling it would disable the driver itself and not just the user interface. It also cannot be firewalled off.
Given the brands that have fessed up to using it, it is likely that most of the affected products are located in homes, home offices and small businesses. How many of these groups even understand about patching something like a router?
I PREDICT THAT MOST OF THESE PRODUCTS WILL BE VULNERABLE UNTIL THEY ARE IN A LANDFILL 10 YEARS FROM NOW.
Which is why software supply chain problems are a real problem.
Businesses that use technology or buy software (does that cover most businesses?) need to start dealing with the software supply chain issue, like now. And it is not simple because when you buy the XYZ product it doesn’t say “contains software bought from the lowest cost vendor in Molnevia”. THAT is part of the problem.