NetUSB flaw could impact millions of routers

A critical flaw in NetUSB could allow attackers to gain remote access and has the potential to affect millions of devices.

SentinelOne vulnerability researcher Max Van Amerongen published a report Tuesday on the remote code execution vulnerability, tracked as CVE-2021-45388, found in software vendor KCodes' NetUSB kernel module. NetUSB is used by many network device vendors, including Netgear, TP-Link and Western Digital, to provide USB-over-IP functionality. While SentinelOne has not observed any attacks in the wild, the team determined that attackers could alter the code that the router would then execute.

The SentinelOne report noted three restrictions that make it difficult to exploit the flaw, such as "the structure must be sprayable from a remote perspective."

"While these restrictions make it difficult to write an exploit for this vulnerability, we believe that it isn't impossible, and so those with Wi-Fi routers may need to look for firmware updates for their router," Amerongen wrote in the report.

Amerongen initially uncovered the flaw after examining a targeted Netgear device from 2019 and found it could affect millions of other "end user" routers.

The types of routers that use NetUSB are most often found in homes, Amerongen told SearchSecurity. As working from home grew tenfold following the onset of the pandemic, routers have become a common target.

"While small businesses may also use these routers as they are cost-effective and easier to manage, larger organizations will tend to opt for more complicated devices they can have greater control over," Amerongen said in an email to SearchSecurity.

The vulnerability disclosure process for CVE-2021-45388 began in September with an initial email to KCodes, which then notified Netgear first, according to Amerongen. But by mid-November, KCodes confirmed it sent patches to all affected vendors and that the firmware would be out before the final disclosure date of Dec. 20. It would be another month or so before the report published.

Amerongen said while SentinelOne checked with KCodes that a patch had been sent to other vendors, they waited for vendors to start implementing the patch in their own firmware.

"Once Netgear had verifiably released a patch in late December, we began preparations to publish the post," he said in an email to SearchSecurity.

While the post said Netgear issued its own firmware update, Amerongen said SentinelOne has no way of knowing whether other vendors will end up pulling the patch or not.

"We used Netgear as a way of identifying a good release schedule and hopefully motivate other vendors to follow suit if they haven't already," he said in an email to SearchSecurity.

In the past, Netgear has faced criticism over addressing reported vulnerabilities. In January 2020, security researchers voiced difficulties in getting Netgear to fix exposed TLS certificate keys found in its firmware, which was reported multiple times.

Another example occurred in June of 2020 when Trend Micro's Zero Day Initiative (ZDI) notified Netgear of 10 vulnerabilities found in its R6700 router. It turned out that many of the flaws had gone unfixed since November 2019. Additionally, despite ZDI extending Netgear's disclosure deadline well past the usual 90 days, patches remained unavailable nearly seven months later.

While SentinelOne said it won't release any proof-of-concept exploits for the NetUSB flaw, "there is a chance it becomes public in the future despite the rather significant complexity involved in developing one." Amerongen warned that end-of-life router models are unlikely to receive an update for this flaw.

"Since this vulnerability is within a third-party component licensed to various router vendors, the only way to fix this is to update the firmware of your router, if an update is available," Amerongen wrote in the report.