A high severity remote code execution vulnerability has been discovered in the KCodes NetUSB kernel module which is used by millions of end-user router devices from various vendors.
SentinelOne published an analysis of the bug that has been tracked as CVE-2021-45388. The vulnerability impacts the KCodes NetUSB kernel module.
KCodes NetUSB is a Linux kernel module that enables devices on a local network to provide USB-based services over IP functionality in products including routers, printers, and flash storage devices.
The software is currently used by a large number of network device vendors of which the security flaws affect millions of end-user router devices.
The security researcher Max Van Amerongen discovered the bug while examining a Netgear device. The kernel module, NetUSB, did not properly validate the size of packets fetched via remote connections, allowing a potential heap buffer overflow.
According to Amerongen, although a malicious payload would be difficult to write to trigger CVE-2021-45388 due to coding restraints, an exploit could result in the remote execution of code in the kernel.
The vendors including Netgear, TP-Link, DLink, and Western Digital license the software, and they are now aware of the security flaw.
The researchers disclosed their findings to KCodes directly on September 9 and a proof-of-concept patch was made available on October 4 and was sent to all vendors on November 17.
Firmware updates, such as those detailed in the advisory issued by Netgear, have either been issued or are underway.
As of now no exploitation has been discovered in the wild.
The researcher concluded that as they are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one.