KCodes NetUSB bug exposes hundreds of thousands of routers to RCE assaults

Netgear router

A high-severity distant code execution flaw tracked as CVE-2021-45388 has been found within the KCodes NetUSB kernel module, utilized by hundreds of thousands of router units from numerous distributors.

Efficiently exploiting this flaw would permit a distant risk actor to execute code within the kernel, and though some restrictions apply, the affect is broad and may very well be extreme.

The vulnerability discovery comes from researchers at SentinelLabs who shared their technical report with Bleeping Laptop earlier than publication.

What’s NetUSB and the way it’s focused

Some router producers embrace USB ports on units, permitting customers to share printers and USB drives on the community.

NetUSB is a kernel module connectivity resolution developed by KCodes, permitting distant units in a community to work together with the USB units immediately plugged right into a router.

NetUSB operational diagram
NetUSB operational diagram
Supply: KCodes

SentinelOne found a susceptible code section within the kernel module that does not validate the dimensions worth of a kernel reminiscence allocation name, leading to an integer overflow.

The ‘SoftwareBus_fillBuf’ operate might then use this new area for a malicious out-of-bounds write with information from a community socket underneath the attacker’s management.

Some limitations might make it tough to take advantage of the vulnerability, as described under.

  • The allotted object will at all times be within the kmalloc-32 slab of the kernel heap. As such, the construction should be lower than 32 bytes in dimension to suit.
  • The dimensions equipped is just used as a most obtain dimension and never a strict quantity.
  • The construction should be sprayable from a distant perspective.
  • The construction should have one thing that may be overwritten that makes it helpful as a goal (e.g. a Sort-Size-Worth construction or a pointer).

Nevertheless, the susceptible NetUSB module has a sixteen-second timeout to obtain a request, permitting extra flexibility when exploiting a tool.

Whereas these restrictions make it tough to write down an exploit for this vulnerability, we imagine that it isn’t unattainable and so these with Wi-Fi routers might have to search for firmware updates for his or her router,” SentinelOne warned in their report.

Affected distributors and patching

The router distributors that use susceptible NetUSB modules are Netgear, TP-Hyperlink, Tenda, EDiMAX, Dlink, and Western Digital.

It’s unclear which fashions are affected by CVE-2021-45388, but it surely’s usually advisable to make use of actively supported merchandise that obtain common safety firmware updates.

As a result of the vulnerability impacts so many distributors, Sentinel One alerted KCodes first, on September 9, 2021, and supplied a PoC (proof of idea) script on October 4, 2021, to confirm the patch launched that day.

Distributors had been contacted in November, and a firmware replace was scheduled for December 20, 2021.

Netgear launched a safety replace to patch CVE-2021-45388 on affected and supported merchandise on December 14, 2021.

In line with the safety advisory printed on December 20, 2021, the affected Netgear merchandise are the next:

  • D7800 mounted in firmware model
  • R6400v2 mounted in firmware model
  • R6700v3 mounted in firmware model

The answer carried out by Netgear was so as to add a brand new dimension examine to the ‘equipped dimension’ operate, stopping the out-of-bounds write.

Fix applied by Netgear
Repair utilized by Netgear
Supply: SentinelLabs

Bleeping Laptop has contacted all affected distributors to request a touch upon the timeline of releasing a firmware replace, however we have not obtained a response but.

Leave a Comment