fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

KCodes NetUSB Bug Exposes Millions of Routers to RCE Attacks

KCodes NetUSB Bug Exposes Millions of Routers to RCE Attacks

A high-severity remote code execution flaw tracked as CVE-2021-45388 has been discovered in the KCodes NetUSB kernel module, used by millions of router devices from various vendors.

Successfully exploiting this flaw would allow a remote threat actor to execute code in the kernel, and although some restrictions apply, the impact is broad and could be severe.

The vulnerability discovery comes from researchers at SentinelLabs who shared their technical report with Bleeping Computer before publication.

Also Read: 5 Simple Instructions on How to Access Request Form PDF

What is NetUSB and how it’s targeted

Some router manufacturers include USB ports on devices, allowing users to share printers and USB drives on the network.

NetUSB is a kernel module connectivity solution developed by KCodes, allowing remote devices in a network to interact with the USB devices directly plugged into a router.

NetUSB operational diagram
NetUSB operational diagram
Source: KCodes

SentinelOne discovered a vulnerable code segment in the kernel module that doesn’t validate the size value of a kernel memory allocation call, resulting in an integer overflow.

The ‘SoftwareBus_fillBuf’ function may then use this new region for a malicious out-of-bounds write with data from a network socket under the attacker’s control.

Some limitations may make it difficult to exploit the vulnerability, as described below.

  • The allocated object will always be in the kmalloc-32 slab of the kernel heap. As such, the structure must be less than 32 bytes in size to fit.
  • The size supplied is only used as a maximum receive size and not a strict amount.
  • The structure must be sprayable from a remote perspective.
  • The structure must have something that can be overwritten that makes it useful as a target (e.g. a Type-Length-Value structure or a pointer).

However, the vulnerable NetUSB module has a sixteen-second timeout to receive a request, allowing more flexibility when exploiting a device.

Also Read: Unsolicited Electronic Messages Act Means for Businesses

“While these restrictions make it difficult to write an exploit for this vulnerability, we believe that it isn’t impossible and so those with Wi-Fi routers may need to look for firmware updates for their router,” SentinelOne warned in their report.

Affected vendors and patching

The router vendors that use vulnerable NetUSB modules are Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital.

It is unclear which models are affected by CVE-2021-45388, but it’s generally advisable to use actively supported products that receive regular security firmware updates.

Because the vulnerability affects so many vendors, Sentinel One alerted KCodes first, on September 9, 2021, and provided a PoC (proof of concept) script on October 4, 2021, to verify the patch released that day.

Vendors were contacted in November, and a firmware update was scheduled for December 20, 2021.

Netgear released a security update to patch CVE-2021-45388 on affected and supported products on December 14, 2021.

According to the security advisory published on December 20, 2021, the affected Netgear products are the following:

  • D7800 fixed in firmware version 1.0.1.68
  • R6400v2 fixed in firmware version 1.0.4.122
  • R6700v3 fixed in firmware version 1.0.4.122

The solution implemented by Netgear was to add a new size check to the ‘supplied size’ function, preventing the out-of-bounds write.

Fix applied by Netgear
Fix applied by Netgear
Source: SentinelLabs

Bleeping Computer has contacted all affected vendors to request a comment on the timeline of releasing a firmware update, but we haven’t received a response yet.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us