Security firm SentinelLabs has revealed a serious new vulnerability in KCodes NetUSB kernel module, which could enable hackers to remotely hijack various routers. Sadly, the flaw appears to affect millions of end user broadband and WiFi routers from major brands (e.g. NETGEAR, Edimax, D-Link, Tenda, TP-Link and Western Digital).
The NetUSB module itself, which is licensed for use by KCodes in devices from all of the aforementioned vendors, is simply designed to allow remote devices in a network to interact with USB devices connected to a router. A fairly common requirement on any router with a USB port.
However, the researchers noted that the module was listening on TCP port 20005 on the IP 0.0.0.0 (i.e. both LAN and WAN with no password or other authentication required), provided there were no firewall rules in place to block it. Suffice to say, they were then able to craft a remote attack (memory-buffer overflow) that enabled them to execute code in the kernel (i.e. this tends to result in a hijacked router).
The vulnerability (CVE-2021-45608) has been confirmed to work against several of NETGEAR‘s routers, including the D7800, R6400v2 and R6700v3. But since NetUSB is so widely adopted, then it’s likely to affect other vendors. However, D-Link notes that it stopped using this module in 2015 after a different vulnerability was discovered, although that flaw also helped to inform the new research.
SentinelLabs said they began the disclosure process on the 9th of September 2021 and the patch was sent to vendors via KCodes on the 4th of October 2021. But at the time of writing, some manufacturers do not yet appear to have released firmware patches for it, and we suspected that routers in the end-of-life category may never get one.
Max Van Amerongen of SentinelLabs said:
“This vulnerability affects millions of devices around the world and in some instances may be completely remotely accessible. Due to the large number of vendors that are affected by the vulnerability, we reported this vulnerability directly to KCodes to be distributed among their licensees instead of targeting just the TP-Link or the Netgear device in the contest. This ensures that all vendors receive the patch instead of just one during the contest.
While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one.”
So far, SentinelOne has not discovered any evidence of in-the-wild abuse and, as stated above, it is a bit of a tricky thing to exploit, but is still feasible for skilled attackers. Hopefully the other vendors complete their checks in a timely fashion and release any necessary firmware updates as soon as possible. Ideally, before somebody really does exploit it in the wild.