KCodes NetUSB kernel RCE vulnerability impacts millions of routers

SentinelOne cybersecurity specialists report the detection of CVE-2021-45388, a severe remote code execution (RCE) vulnerability in the KCodes NetUSB kernel module. This is a project employed by numerous hardware vendors to add USB over IP functionality into products such as routers, printers, and storage drives.

The vulnerability was identified by researcher Max Van Amerongen during the analysis of a Netgear device. The expert noticed that the kernel module (NetUSB) did not correctly validate the size of packets obtained through remote connections, which would have allowed a dynamic storage buffer overflow scenario.

Amerongen adds that a functional exploit could lead to remote code execution in the kernel, although it acknowledges that it would be difficult to develop a malicious payload to trigger the failure due to coding restrictions. Affected vendors include Netgear, TP-Link, DLink and Western Digital, which have already been notified of the failure.

This research was presented directly to KCodes in September 2021, as experts considered it pertinent to first notify the source of the software before alerting manufacturers of technological products that depend on this project. Official updates were available from mid-November.

Manufacturers such as Netgear are already close to completing their update process, plus no active exploitation attempts or the existence of a malware variant for the attack have been detected. Still, the researchers recommend rolling out official updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.