[German]Security researchers from SentinelLabs have discovered vulnerabilities in USB-over-Ethernet software that make cloud services such as Amazon Web Services (AWS) or other cloud services vulnerable to attack. Some of the affected providers have provided automatic security updates to address the vulnerabilities, some of which are severe – but some require manual action by the customer.
Researchers at SentinelLabs, the research division of SentinelOne, have discovered a number of serious vulnerabilities in driver software that affect AWS and numerous other cloud services. The vulnerabilities allow attackers to escalate their privileges to disable security solutions, overwrite system components, corrupt the operating system, or perform unchecked malicious actions.
Users with affected client versions are vulnerable to the vulnerabilities, which can have devastating consequences if successfully exploited. Because the vulnerable code exists on both the remote and local sides, external desktops are also affected by this vulnerability. An attacker with access to an organization's network, for example, can then also execute code on unpatched systems and use this vulnerability to move laterally through the network and cause even more damage.
Cloud desktop solutions like Amazon Workspaces use third-party libraries, including Eltima SDK, to provide "USB-over-Ethernet" capabilities that allow users to connect and share local devices like webcams. These cloud services are used by millions of customers worldwide. Vulnerabilities in Eltima SDK, derived products, and proprietary variants are then unknowingly adopted by cloud customers.
Both the end user (e.g., AWS WorkSpaces customers) and the cloud service (AWS WorkSpaces in AWS Cloud) are vulnerable to different vulnerabilities. This peculiarity can be attributed to code sharing between server-side and client-side applications. SentinelLabs has confirmed these vulnerabilities for AWS, NoMachine, and Accops through concrete testing. It remains highly likely that other cloud providers using the same libraries are also vulnerable. In addition, of the providers tested, not all were tested for both client-side and server-side vulnerabilities; as a result, additional vulnerabilities may exist there as well.
Disclosure and countermeasures
SentinelLabs' findings were proactively reported to vulnerable vendors in Q2 2021, and all vulnerabilities – 27 in total – are recorded as CVE vulnerabilities with a corresponding identification number and vulnerability score. The full list of CVEs and affected cloud services can be found here.
At this time, SentinelLabs has not been able to identify any evidence of abuse of the vulnerabilities by criminals or hackers. As some of the vulnerabilities require manual patches to fix, users of the affected services are advised to immediately check their current software version and update if necessary. For more technical details on the vulnerabilities, as well as information on how to fix them, see the full report from SentinelLabs.
Cookies helps to fund this blog: Cookie settings