A critical flaw in KCodes NetUSB kernel module could allow attackers to secure remote access and has the capability to infect millions of devices.
Researchers from SentineLabs published a report on the remote code execution vulnerability, tracked as CVE-2021-45388, identified in software vendor KCodes' NetUSB kernel module. NetUSB is a kernel module connectivity solution developed by KCodes, allowing remote devices in a network to interact with the USB devices directly plugged into a router.
NetUSB is used by millions of router devices from various vendors, including Netgear, TP-Link and Western Digital, to provide USB-over-IP functionality. While SentinelOne has not noticed any attacks in the wild, the team determined that the threat actor could alter the code that the router would then execute.
The SentinelOne report noted three limitations that make it difficult to exploit the vulnerability, such as "the structure must be sprayable from a remote perspective."
"While these restrictions make it difficult to write an exploit for this vulnerability, we believe that it isn't impossible, and so those with Wi-Fi routers may need to look for firmware updates for their router," researchers explained.
The researchers initially spotted the flaw after examining a targeted Netgear device from 2019 and discovered it could affect millions of other "end user" routers. The types of routers that use NetUSB are commonly found in homes. As working from home grew tenfold following the onset of the pandemic, routers have become a common target.
"While small businesses may also use these routers as they are cost-effective and easier to manage, larger organizations will tend to opt for more complicated devices they can have greater control over," researchers added.
Following responsible disclosure to KCodes on September 20, 2021, the Taiwanese firm released a patch to all vendors on November 19, after which Netgear released firmware updates containing fixes for the vulnerability.
SentinelOne has refrained from releasing a proof-of-concept (PoC) code in light of the fact that other vendors are still in the process of shipping updates. However, the cybersecurity firm cautioned the possibility of an exploit emerging in the wild despite the technical complexity involved, making it imperative that users apply the fixes to mitigate any potential risk.