A serious remote arbitrary code execution problem has been found in the KCodes NetUSB kernel module used by millions of routers from different manufacturers.
The problem was identified by SentinelOne specialists. They say that the bug is related to the USB-over-net component and received the identifier CVE-2021-45388 (9.8 points on the CVSS vulnerability rating scale). The problem was found in the NetUSB library created by KCodes. The developers were notified of the bug last year, and KCodes released updates for NetUSB in October 2021.NetUSB allows devices on a local network, including computers and smartphones, to interact with USB devices connected to the router, for example, printers, flash drives, NAS, and so on. The library was created back in the early 2010s and is still widely used in routers from companies such as Netgear, TP-Link, Tenda, EDiMAX, D-Link and Western Digital.
SentinelOne reports that the library is not configured correctly and is ready for possible interactions with USB ports not only from the internal network, but also through an external interface connected to the Internet. That is, an attacker could send malicious commands (via port 20005) to Internet-connected NetUSB routers and then exploit an integer overflow vulnerability. This will ultimately lead to code execution in the router core at the deepest level, allowing an attacker to take control of the device.
At the same time, it is emphasized that it will most likely be difficult for hackers without the appropriate skills and knowledge to create an exploit, but it is enough for at least one PoC to appear in public access to start a wave of attacks. There are currently no exploits on the network, and SentinelOne reports that no attempts to exploit CVE-2021-45388 have been observed so far.
Unfortunately, as is often the case with such vulnerabilities, it is not yet clear which KCodes customers have already released patches, and which router models are still vulnerable. Currently, only Netgear has publicly acknowledged the issue and posted a list of affected models as well as links to fixes.
By the way, we also talked about the fact that Researchers found 226 vulnerabilities in popular router models, and also that Millions of IoT Devices are at Risk due to Bugs Found in Realtek Wi-Fi SDK.