USB Kernel Bug Exposes Routers to RCE
Table of Contents
- By David Lukic
- Published: Jan 12, 2022
- Last Updated: Mar 18, 2022
Millions of popular routers have been exposed to RCE in recent weeks. RCE is an acronym that stands for remote code execution. Let’s take a closer look at how the exposure occurred.
Why are the Routers Exposed?
Some of the world’s top-selling end-user routers have the potential to be compromised by RCE resulting from a high-severity flaw within the KCodes NetUSB kernel module. The module empowers remote devices to link up with the routers through IP and tap into all connected USB devices. Examples of such USB devices include flash drives, speakers, printers, and webcams.
The exposure is accomplished with the use of a Linux kernel driver capable of launching a server along with a proprietary NetUSB protocol. The two work in unison to access the USB devices through the network. From the perspective of remote users, this arrangement makes it seem as though the devices that function with USBs are directly connected to local systems.
Why is the Exposure a Problem?
Max Van Amerongen, a digital security expert with SentinelOne, insists the exposure sets the stage for attackers to exploit the vulnerability from afar to execute the code within the kernel through a pre-authentication butter overflow security weakness. This strategy allows for the takeover of the device.
NetUSB is licensed to a litany of the best-selling routers ranging from Western Digital to Netgear, Tenda, TP-link, EDiMAX, and DLink. However, it must be noted SentinelOne has not yet found evidence that the security flaw has been exploited.
How was the Exposure Discovered?
Van Amerongen discovered the bug when examining a hack performed by the Pwn2Own hacking group. Amerongen was analyzing the Netgear router with the R6700v3 model at the time. The device was used in the 2019 Pwn2Own conference and also listed as a target in 2021.
Van Amerongen noticed the NetUSB kernel module when studying paths moving through binaries. It was at this point that the digital security specialist discovered something suspicious. The module listened in on TCP port 20005 through IP 0.0.0.0. In plain terms, this means hackers were listening through the LAN and WAN when a firewall wasn’t in place to prevent such oversight.
Is This the First NetUSB Vulnerability?
This is not the first-ever problematic NetUSB vulnerability. Another similar vulnerability was identified in 2015 in the form of Net USB KCodes kernel stack buffer overflow. The discovery spurred a helpful exploit that helped to rapidly verify the latest security vulnerability.
How Will the Exposure be Remedied?
The vulnerability is particularly tricky as it is a third-party component licensed to several router vendors. The best approach to remedying the vulnerability is the implementation of firmware updates through each individual vendor. However, there is no guarantee that such a firmware update will be available in a timely manner.
SentinelLabs started the disclosure process in September. The company transmitted a patch to vendors in October. Each of the vendors affected by the bug is aware of the problem. The vendors are in the process of implementing a fix. However, SentinelOne points out updates might not be available for routers considered end-of-life. Van Amerongen insists all router owners implement the latest firmware update as soon as possible.
