KCodes NetUSB kernel remote code execution flaw impacts millions of devices
A high-impact vulnerability allowing remote code execution to take place has impacted millions of end-user router devices.
On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team.
The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices.
KCodes NetUSB, the subject of a SEC Consult Vulnerability Lab analysis in the past, is proprietary software used to facilitate these connections — and the software is currently “used by a large number of network device vendors,” of which the security flaws “affect millions of end-user router devices,” according to SentinelOne.
Researcher Max Van Amerongen discovered the bug while examining a Netgear device. The kernel module, NetUSB, did not properly validate the size of packets fetched via remote connections, allowing a potential heap buffer overflow.
According to Amerongen, although a malicious payload would be difficult to write to trigger CVE-2021-45388 due to coding restraints, an exploit could result in the remote execution of code in the kernel.
SentinelOne says that vendors including Netgear, TP-Link, DLink, and Western Digital license the software, and all of them are now aware of the security flaw.
The researchers disclosed their findings to KCodes directly on September 9, as it made more sense to inform the source who could then distribute a patch for everyone rather than just inform Netgear based on a single product test. A proof-of-concept patch was made available on October 4 and was sent to all vendors on November 17.
Firmware updates, such as those detailed in the advisory issued by Netgear, have either been issued or are underway.
At the time of writing, no exploitation has been discovered in the wild.
“While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one,” the researchers say.
Previous and related coverage
- NoReboot attack fakes iOS phone shutdown to spy on you
- Purple Fox rootkit discovered in malicious Telegram installers
- JFrog researchers find JNDI vulnerability in H2 database consoles similar to log4shell
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0