SOHO routers impacted by bug in USB-over-network component
Catalin Cimpanu January 11, 2022

SOHO routers impacted by bug in USB-over-network component

Catalin Cimpanu

January 11, 2022

SOHO routers impacted by bug in USB-over-network component

USB-over-network components have been plagued over the past two years by an ever-increasing number of vulnerabilities, and in new research published today, researchers at SentinelOne said they discovered new issues in the USB-over-network component of home and office (SOHO) routers, devices that you would normally not expect to even have such support in the first place.

Tracked as CVE-2021-45388, the vulnerability impacts multiple router vendors and has its origin in NetUSB, a library developed by software company KCodes.

At a technical level, the NetUSB library allows devices on a local (internal) network, such as computers and smartphones, to interact with USB devices plugged into a router, such as printers, USB thumb drives, network-attached storage (NAS) systems, or streaming devices.

The library was developed in the early 2010s and found a niche in high-end routers from companies such as Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital.

Incorrectly configured firmware exposes SOHO routers

But SentinelOne said today that while the library is useful for the features it provides, it was also misconfigured in a way that it listened for possible interactions with its USB ports not only from the internal network but also its external interface connected to the internet.

In a report today, the security firm said that an attacker could craft malicious commands that they could send to internet-connected routers on port 20005. If the router was one of the models that included the NetUSB library in their firmware, the code would exploit an integer overflow vulnerability that would run code inside the router kernel, at its deepest level, allowing the threat actors to potentially hijack the device.

Max Van Amerongen, the SentinelOne security researcher who discovered this issue, said today that while the exploit would be hard to create by non-technical attackers, it only takes one publicly released proof-of-concept to start a wave of attacks.

Right now, such proof-of-concept is not readily available online, and Van Amerongen said that SentinelOne has not yet seen any active exploitation attempts for CVE-2021-45388.

Van Amerongen said he reported the issue to KCodes, and the company released updates to its NetUSB customers this past October.

Unclear what and who’s affected… as usual

However, just like with most vulnerabilities discovered in firmware components, it is currently unclear which of the KCodes customers rolled out their own set of patches and which router models from the vendors named above are vulnerable.

Currently, only Netgear has publicly acknowledged the issue, and released a list of affected models and links to its patches.

Because of the uncertainty around this issue, readers who own a router with USB ports are advised to inquire with their vendor if their product is affected and if a patch is available.

Van Amerongen’s findings come after SentinelOne also found security flaws last month in the Eltima SDK, a library used to support USB-over-network features by multiple cloud providers.

Inn 2019, security firm Eclypsium also discovered the USBAnywhere vulnerability in the USB-over-network feature of Supermicro baseboard management controllers (BMCs), devices used to build barebone servers in many data centers across the world.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.