A newly discovered remote code execution (RCE) flaw, being tracked as CVE-2021-45388, has been discovered in the KCodes NetUSB kernel module used by many router models across multiple vendors. Exploiting this flaw would allow a remote threat actor to execute code in the kernel of the router itself, potentially allowing for a full compromise of the device.

NetUSB is a kernel module included in various routers to allow computers on the network to interact with any USB device plugged into the router. This solution allows users to share USB printers and hard drives across the entire network. The vulnerable code segment in the kernel module doesn’t validate the size value of a kernel memory allocation call, which can result in an integer overflow. This overflow can then allow a malicious out-of-bounds write to occur, using data from a network socket that is under the attacker’s control. Due to some limitations in this overflow, exploiting the vulnerability may be difficult, but it is made easier by a sixteen-second timeout in the module to receive a request before closing. This gives an attacker time and flexibility in getting the exploit to work.

A number of common router vendors utilize the KCodes NetUSB kernel module in their devices including: Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital. Netgear has released security patches for its devices that are affected, but it is currently unknown what models of routers from the other vendors are affected by the vulnerability.