CVE-2019-5016 – This vulnerability allows an unauthenticated at... (How to Fix)

Q: What is the severity of CVE-2019-5016?

CVE-2019-5016 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows an unauthenticated attacker on the local network to read arbitrary kernel memory from affected routers by sending a specially crafted packet to the KCodes NetUSB.ko module. This can lead to denial of service or information disclosure. It affects NETGEAR Nighthawk routers and potentially other devices using the vulnerable KCodes NetUSB software.

📋 TL;DR

This vulnerability allows an unauthenticated attacker on the local network to read arbitrary kernel memory from affected routers by sending a specially crafted packet to the KCodes NetUSB.ko module. This can lead to denial of service or information disclosure. It affects NETGEAR Nighthawk routers and potentially other devices using the vulnerable KCodes NetUSB software.

💻 Affected Systems

Products:

NETGEAR Nighthawk R7000
NETGEAR Nighthawk R6400
Other devices using KCodes NetUSB.ko module

Versions: Firmware versions prior to vendor patches

Operating Systems: Embedded Linux on affected routers

Default Config Vulnerable: ⚠️ Yes

Notes: ReadySHARE Printer functionality must be enabled (often default). Affects multiple vendors using KCodes NetUSB technology.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote kernel memory disclosure leading to potential privilege escalation, complete system compromise, or persistent denial of service.

🟠

Likely Case

Denial of service (router crash/reboot) or sensitive kernel memory disclosure that could aid further attacks.

🟢

If Mitigated

Limited impact if device is isolated from untrusted networks and has updated firmware.

🌐 Internet-Facing: LOW (requires local network access, not directly internet exploitable)

🏢 Internal Only: HIGH (any attacker on the local network can exploit without authentication)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending crafted packets to port 20005/UDP. Public PoC available from Talos Intelligence.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NETGEAR firmware updates (check specific model)

Vendor Advisory: https://kb.netgear.com/000061457/Security-Advisory-for-Arbitrary-Memory-Read-Vulnerability-on-Some-Routers-PSV-2018-0504

Restart Required: Yes

Instructions:

1. Identify router model. 2. Visit NETGEAR support site. 3. Download latest firmware. 4. Upload via router admin interface. 5. Reboot router.

🔧 Temporary Workarounds

Disable ReadySHARE Printer

all

Turn off the vulnerable NetUSB functionality in router settings

Block NetUSB Port

linux

Block access to port 20005/UDP on router firewall

iptables -A INPUT -p udp --dport 20005 -j DROP

🧯 If You Can't Patch

Segment network to isolate affected routers from untrusted devices
Implement strict network access controls to limit who can communicate with router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check if port 20005/UDP is open and responding to NetUSB protocol. Use nmap: nmap -sU -p 20005 <router_ip>

Check Version:

Log into router web interface and check firmware version in Administration or Advanced settings

Verify Fix Applied:

Verify port 20005/UDP is no longer open or responding. Check firmware version matches patched release.

📡 Detection & Monitoring

Log Indicators:

Router crash/reboot logs
Kernel panic messages in system logs
Unusual traffic to port 20005/UDP

Network Indicators:

Malformed UDP packets to port 20005
Excessive traffic to router on unusual ports

SIEM Query:

source_port=20005 OR dest_port=20005 protocol=UDP

📊 Metadata

CVE ID: CVE-2019-5016

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-200

Published: June 17, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/108820 Broken Link
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0775 Third Party Advisory
http://www.securityfocus.com/bid/108820 Broken Link
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0775 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5016, you might also want to check these: