A newly discovered remote code execution (RCE) flaw, being tracked as CVE-2021-45388, has been discovered in the KCodes NetUSB kernel module used by many router models across multiple vendors. Exploiting this flaw would allow a remote threat actor to execute code in the kernel of the router itself, potentially allowing for a full compromise of the device.
NetUSB is a kernel module included in various routers to allow computers on the network to interact with any USB device plugged into the router. This solution allows users to share USB printers and hard drives across the entire network. The vulnerable code segment in the kernel module doesn’t validate the size value of a kernel memory allocation call, which can result in an integer overflow. This overflow can then allow a malicious out-of-bounds write to occur, using data from a network socket that is under the attacker’s control. Due to some limitations in this overflow, exploiting the vulnerability may be difficult, but it is made easier by a sixteen-second timeout in the module to receive a request before closing. This gives an attacker time and flexibility in getting the exploit to work.
A number of common router vendors utilize the KCodes NetUSB kernel module in their devices including: Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital. Netgear has released security patches for its devices that are affected, but it is currently unknown what models of routers from the other vendors are affected by the vulnerability.
It is highly recommended to update the firmware on any affected Netgear products as soon as possible to help prevent this vulnerability from being exploited. The Netgear products that were found to be impacted are the D7899, R6400v2, and R6700v3 router models. While the other vendors have yet to release patches for their affected devices, it is important to maintain a consistent patch cycle for all devices, including routers, on a network to help prevent the exploitation of vulnerabilities like these. Likewise, it is also important to only use devices that are still supported by the vendors; if a device is no longer supported by the vendor, patches for it will not be released, meaning the device will continually be in a vulnerable state until it is decommissioned.