A vulnerability in a software component integrated into a large number of routers and networked devices could be exploited remotely, potentially putting millions of routers at risk, security firm SentinelOne stated in a Jan. 11 advisory.
The software flaw occurs in a kernel module sold by third-party software developer KCodes. It's used in many connected products to allow USB connectivity over the network. Routers made by Netgear, D-Link, Western Digital, and other firms have all been verified to be vulnerable to exploitation of the flaw, says Max Van Amerongen, the vulnerability researcher at SentinelOne who discovered the issue.
While exploiting the vulnerability to cause a kernel panic is quite easy, remote execution is much more difficult, he says.
"If you wanted to do just a denial of service, it is pretty much a single packet — or a couple of packets — and you are done," he says. "In terms of code execution, it is a lot more complicated, especially because this is not a stack vulnerability, it is a heap vulnerability, which means there is a lot more components involved in getting code execution working."
Vulnerabilities in home and small business routers are notoriously pernicious cybersecurity issues. While a flaw can be identified and new software provided by the manufacturer, most home users and smaller businesses are unlikely to patch. In a survey of one manufacturer's routers, for example, more than 300,000 remained vulnerable to attack using year-old flaws that had already been patched. In a 2018 study, the American Consumer Institute's Center for Citizen Research found 155 of 186 sampled routers (83%) had known vulnerabilities.
SentinelOne identified this issue in September, confirmed KCodes issued a patch in October, and confirmed Netgear had released firmware to fix its devices in December, according to a timeline in the company's advisory. Still, getting users to apply the patch will be a problem, says Van Amerongen.
"I don't see many vendors that do automatic patches for home users, so getting this fixed will be a big problem," he says. "They said they pushed this out to all the other vendors, so we really need to take them at their word that all these vendors have a patch."
Van Amerongen found the flaw after deciding to look at Netgear routers for potential issues to submit to the to the annual Pwn2Own competition. The KCodes NetUSB component allows a computer to connect to a printer using the USB protocol, but by sending traffic over the network rather than through a direct cable. The exploit attempts to overflow the heap to gain execution, but the process is complex, he says. Heap overflows are much less reliable than stack overflows.
However, because routers are connected to the Internet, the attack can be carried out remotely. In addition, Wi-Fi routers with the KCode NetUSB module could be vulnerable as well.
"We are specifically not releasing any exploit code to not make it easy," Van Amerongen says. "It is quite a complicated thing to exploit over the Internet with no feedback. So I can't see your average cybercriminal using this, at least not in the near future."
The vulnerability appears similar to a flaw in a network virtualization library that was created by Eltima and is used by Amazon and other companies. The Eltima vulnerability, which SentinelOne announced in December, occurs in the software development kit (SDK) for virtual networking, which allows USB to be used in the cloud.
It's important to note these issues are not related and affect completely different products, Van Amerongen says.
"I had no idea my teammate was working on the issue," he says. "Then when I saw that we were both doing network-USB things, it was a bit of a surprise."
An issue patched on Dec. 20 by Netgear in its D7800, R6400, and R6700 wireless routers is the vulnerability detailed in SentinelOne's Jan. 11 advisory, the security firm said. While the Netgear advisory states the patch fixes a "pre-authentication buffer overflow security vulnerability," it does not specifically reference the identifier for the flaw, CVE-2021-45388.
SentinelOne stated that it will not release its exploit code, but warned that other researchers and cyberattackers will likely be able to identify the issue.
"Since this vulnerability is within a third party component licensed to various router vendors, the only way to fix this is to update the firmware of your router, if an update is available," the company stated in its advisory. "It is important to check that your router is not an end-of-life model as it is unlikely to receive an update for this vulnerability."