USB-over-Ethernet bugs put cloud services at risk
SentinelOne says vulnerabilities in the Eltima SDK, which connects USB devices on virtual workstations, can put enterprises at risk of privilege escalation attacks.
An SDK used for remote desktop services has more than two dozen vulnerabilities that could put enterprises at risk of attack.
Researchers with SentinelOne say the Eltima SDK component, a USB-over-Ethernet software connector, is riddled with vulnerabilities that, if exploited, could allow someone with an end-user account to elevate their status to administrator privileges.
The Eltima SDK is a kit designed to allow a locally connected USB peripheral such as a webcam to link up over a network connection to a remotely hosted PC. In this case, the USB hardware would be linked to a virtual desktop. Several major cloud providers, including AWS, rely on the vulnerable SDK for their remote desktop services.
The USB-over-Ethernet bugs are significant because, in the pandemic era of business, companies are increasingly looking to move their remote workers to virtual desktops. Linking USB devices connected to a home computer with a remote workstation is key for videoconferencing and other collaboration applications.
SentinelOne researchers found a total of 27 vulnerabilities that affected AWS WorkSpaces, NoMachine and Accops, but cautioned that "our testing was limited in scope to these vendors, and we believe it is highly likely other cloud providers using the same libraries would be vulnerable."
In this case, attackers who are able to get the end user's credentials would be able to elevate themselves to higher privileges by running scripts that would exploit the vulnerabilities in the Eltima SDK.
While not catastrophic by themselves, the vulnerabilities would possibly enable the sort of lateral movement that lets an attacker go from compromising a single system to gaining control over much of a network.
"These high-severity flaws could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products," said SentinelOne senior security researcher Kasif Dekel.
"An attacker with access to an organization's network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege."
If there is some good news for admins, it is that the disclosure and patching appear to have been handled well. All of the vendors known to be affected have been notified and patched, and so far, there have been no reports of in-the-wild exploits.
On a wider scale, Dekel pointed out that when flaws exist in third-party SDKs and code dependencies, the scale of a vulnerability can extend far beyond a handful of products or services.
"Vulnerabilities in third-party code have the potential to put huge numbers of products, systems and, ultimately, end users at risk, as we've noted before," Dekel said.
"The outsized effect of vulnerable dependency code is magnified even further when it appears in services offered by cloud providers."