A high-impact vulnerability that allows remote code execution has affected millions of end-user router devices. On Tuesday, SentinelOne released an analysis of the flaw, dubbed CVE-2021-45388 and rated critical by the research team. The KCodes NetUSB kernel module is affected by the issue. Several hardware makers have licensed KCodes solutions to enable USB over IP capability in products such as routers, printers, and flash storage devices.
KCodes NetUSB is proprietary software that has previously been the basis of an SEC Consult Vulnerability Lab analysis and facilitates these connections. According to SentinelOne, the software is presently “used by a large number of network device vendors,” of which the security flaws “affect millions of end-user router devices.”
While studying a Netgear device, researcher Max Van Amerongen uncovered the flaw. NetUSB, a kernel module, failed to correctly check the size of packets acquired via remote connections, potentially causing a heap buffer overflow. Although a malicious payload to trigger CVE-2021-45388 would be challenging to construct owing to coding constraints, an attack might result in the remote execution of code in the kernel, as explained by Amerongen.
As per SentinelOne, the software is licensed by Netgear, TP-Link, D-Link, and Western Digital, and all of them are aware of the security problem.
On September 9, the researchers immediately informed KCodes of their results since it made more sense to alert the source, who could then send a fix to everyone, rather than only Netgear, based on a single product test. On October 4, a proof-of-concept patch was made available, and all suppliers received it on November 17.
Firmware upgrades, such as those described in Netgear’s alert, have either been released or are in the works. There has been no evidence of exploitation in the wild as of this writing.