KCodes NetUSB kernel Vulnerability Exposed Millions of Routers

Cybersecurity researchers have detailed a high severity vulnerability in KCodes NetUSB allowing remote code execution that has impacted millions of router devices. 

On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team.

KCodes NetUSB is a Linux kernel module that enables devices on a local network to provide USB-based services over IP. Printers, external hard drives, and flash drives plugged into a Linux-based embedded system (e.g., a router) are made available via the network using the driver.

The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices. 

This module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives, and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems.

This software is currently “used by a large number of network device vendors,” of which the security flaws “affect millions of end-user router devices,” according to SentinelOne.

CVE-2021-45608 (CVSS score: 9.8), as the security flaw is tracked as, relates to a buffer overflow vulnerability that, if successfully exploited, can allow attackers to execute code remotely in the kernel and perform malicious activities of their choice, according to a report shared by SentinelOne.

According to a writeup from SentinelOne vulnerability researcher Max Van Amerongen, attackers could remotely exploit the vulnerability to execute code in the kernel via a pre-authentication buffer overflow security vulnerability, allowing device takeover.

This is the latest in a string of NetUSB vulnerabilities that have been patched in recent years. In May 2015, researchers from SEC Consult disclosed another buffer overflow flaw (CVE-2015-3036) that could result in a denial-of-service (DoS) or code execution.

NetUSB is licensed to a slew of popular router vendors, including:

  • Netgear
  • TP-Link
  • Tenda
  • EDiMAX
  • DLink
  • Western Digital

Fortunately, SentinelOne hasn’t yet spotted evidence of the flaw having been exploited in the wild.

SentinelOne says that vendors including Netgear, TP-Link, DLink, and Western Digital license the software, and all of them are now aware of the security flaw. 

SentinelOne has refrained from releasing a proof-of-concept (PoC) code because other vendors are still in the process of shipping updates. But the cybersecurity firm cautioned the possibility of an exploit emerging in the wild despite the technical complexity involved, making it imperative that users apply the fixes to mitigate any potential risk.

“While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one,” the researchers say.

Leave a Reply

Your email address will not be published.