NetUSB RCE Flaw in Millions of End User Routers | CVE-2021-45608

[David H. Lipman]

CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers

Quote

Executive Summary

• SentinelLabs has discovered a high severity flaw in the KCodes NetUSB kernel module used by a large number of network device vendors and affecting millions of end user router devices.
• Attackers could remotely exploit this vulnerability to execute code in the kernel.
• SentinelLabs began the disclosure process on the 9th of September and the patch was sent to vendors on the 4th of October.
• At this time, SentinelOne has not discovered evidence of in-the-wild abuse.

Introduction

As a number of my projects start, when I heard that Pwn2Own Mobile 2021 had been announced, I set about looking at one of the targets. Having not looked at the Netgear device when it appeared in the 2019 contest, I decided to give it a lookover.

While going through various paths through various binaries, I came across a kernel module called NetUSB. As it turned out, this module was listening on TCP port 20005 on the IP 0.0.0.0.

Provided there were no firewall rules in place to block it, that would mean it was listening on the WAN as well as the LAN. Who wouldn’t love a remote kernel bug?

NetUSB is a product developed by KCodes. It’s designed to allow remote devices in a network to interact with USB devices connected to a router. For example, you could interact with a printer as though it is plugged directly into your computer via USB. This requires a driver on your computer that communicates with the router through this kernel module.

It’s licensed to a large number of other vendors for use in their products, most notably:

• Netgear
• TP-Link
• Tenda
• EDiMAX
• DLink
• Western Digital

 

Edited January 13, 2022 by David H. Lipman
Edited for content, clarity, spelling and/or grammar