According to new information released on January 11th, 2022, a severe security vulnerability was discovered in the widely used KCodes NetUSB component. The vulnerability could potentially lead to broad, high-impact consequences such as the complete compromise of millions of WiFi routers that KCodes is licensed to work with.
About KCodes and NetUSB
Established in 2001, Taiwan-based company KCodes offers USB over IP solutions, such as NetUSB, among other products like wired and wireless bridge solutions, USB device servers, USB extenders, wireless docking, and software customization services related to networking solutions. The company prides itself on being a market leader in USB over IP technology products. KCodes also emphasize that over 20% of all networking devices around the world are embedded with their networking solution components.
The KCodes NetUSB component is a patented software technology product that is a “highly customizable” USB over IP kernel module based on the Linux system. It functions via typical USB ports found on the back of certain router models. Simply put, by plugging a USB device into the router and combining this with KCodes NetUSB software, a user can interact with devices that are not physically present.
SentinelLabs Vulnerability Report
Courtesy of SentinelLabs’ Max Van Amerongen, a report was published today extensively detailing the KCodes NetUSB security flaw. Entitled “CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers”, this fresh vulnerability report by SentinelLabs confirms that millions of end-user router devices are at risk as a result of the NetUSB security flaw.
As it turns out, the team at SentinelLabs found that the NetUSB Linux kernel module was “listening” on TCP port 20005 via the IP 0.0.0.0. This means that “[Provided] there were no firewall rules in place to block it, that would mean it was listening on the WAN as well as the LAN.” Since NetUSB interacts and controls remote devices, the danger is in the handshake process — the moment when two systems initialize a network connection.
SentinelLabs then discovered a segment of code that was not secure, which could potentially lead to a cybercriminal infiltrating and compromising an affected device by executing malicious code. Technically speaking, a vulnerable segment of code in the Linux kernel module SoftwareBus_fillBuf function does not validate size values, and the addition of a number 0x11 results in out-of-bounds writes and an integer overflow.
This is not the first time a flaw like this was discovered. SentinelLabs noted that a different NetUSB vulnerability discovered in 2015 (kernel stack buffer overflow) luckily provided resources for the team to quickly verify this particular flaw. In addition to that, this particular integer overflow security flaw was first noticed in a Netgear device and tracked as CVE-2021-45608. The vulnerability is also currently tracked as CVE-2021-45388 by multiple public software vulnerability databases.
Overflow flaws are very common in the software industry and are not exclusive to KCodes’ products. Some of the world’s most widely used products and solutions such as iOS and iPadOS, Daemon Tools, and Qualcomm chipsets are few among many that have experienced such vulnerabilities.
The third-party NetUSB component is licensed to several device manufacturers, most notable of which is WiFi gear from TP-Link, Netgear, Tenda, EDiMAX, DLink, and Western Digital.
Theoretically, what could take place as a result of this scenario is that a remote individual could write code and create a malicious device driver that would allow the individual to execute code on the router. This could also potentially impact all of the USB devices connected to the router itself.
Because the security vulnerability affects the kernel of the router’s operating system, the RCE (remote code execution) would be executed at the root user level.
Recommended Security Measures
At present, security research has not indicated that this vulnerability has been leveraged by cybercriminals to orchestrate any malicious activities. SentinelLabs have noted that, although it would be difficult to orchestrate an exploit (execution of code remotely in the kernel) for the vulnerability, they “believe that it isn’t impossible.”
As of December 20th, 2021, one device manufacturer, Netgear, has released an advisory that contains information about firmware updates that remediate the risk. As for those who use devices from the other manufacturers in the list of affected devices, it is recommended that users or admins immediately apply firmware updates to their routers, if available.