SentinelOne discovers exploitation of a vulnerability in the NetUSB kernel of KCodes – Remote code execution and system takeover possible
The security researchers from SentinelLabs, the research division of SentinelOne, have discovered a serious security flaw in the KCodes NetUSB kernel module, which is used by numerous network device manufacturers and affects millions of end-user router devices. Cybercriminals could exploit this vulnerability remotely to execute code in their target’s kernel. This can allow attackers to take over your victim’s system, steal or encrypt data, and cause significant damage.
SentinelLabs proactively communicated its findings on the vulnerability to KCodes in September 2021. In October, an update patch was sent to the affected manufacturers to fix the vulnerability. At MITRE, the vulnerability is listed under the abbreviation CVE-2021-45608.
Details of the vulnerability and affected manufacturers
NetUSB is a product developed by KCodes. It was designed to let remote devices on a network interact with USB devices connected to a router. For example, a printer can be interacted with as if it were connected directly to the computer via USB. This requires a driver on the computer that communicates with the router through this kernel module.
This module is licensed for a wide range of manufacturers for use in their products, in particular for:
- Western Digital
The vulnerability affects millions of devices around the world, and in some cases it can be completely remote. Due to the large number of vendors affected by the vulnerability, SentinelLabs researchers have reported the vulnerability directly to KCodes so that the information can be distributed to their licensees. This ensured that all manufacturers could receive the patch.
Disclosure and countermeasures
On September 04, the researchers from SentinelLabs informed KCodes about the existence of the vulnerability and on September 20, the full details of their investigation were communicated to KCodes. In October, an update patch was provided by KCodes, which was distributed to the affected providers. In addition, the use of the faulty firmware has been discontinued. At this time, SentinelOne has not detected any evidence of successful cases of abuse of the protocol by cybercriminals.
Since this vulnerability is in a third-party component licensed for different router manufacturers, the only way to fix it is to update the router’s firmware if an update is available. It is important to make sure that the router in use is not a discontinued model, since in this case it is unlikely that it will receive an update for this vulnerability.