AWS Among 12 Cloud Services Affected by Flaws in Eltima SDK

The flaws, which could enable attackers to disable security and gain kernel-level privileges, affect Amazon WorkSpaces and other cloud services that use USB over Ethernet.

Researchers have found a number of high-security vulnerabilities in a library created by network virtualization firm Eltima, that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks.

That includes Amazon WorkSpaces, Accops and NoMachine, among others: all apps that enable remote desktop access by using the Eltima software development kit (SDK) to enable the company’s “USB Over Ethernet” product. USB Over Ethernet enables sharing of multiple USB devices over Ethernet, so that users can connect to devices such as webcams on remote machines anywhere in the world as if the devices were physically plugged into their own computers.

The flaws are in the USB Over Ethernet function of the Eltima SDK, not in the cloud services themselves, but because of code-sharing between the server side and the end user apps, they affect both clients – such as laptops and desktops running Amazon WorkSpaces software – and cloud-based machine instances that rely on services such as Amazon Nimble Studio AMI, that run in the Amazon cloud.

The flaws allow attackers to escalate privileges so that they can launch a slew of malicious actions, including to kick the knees off the very security products that users depend on for protection. Specifically, the vulnerabilities can be used to “disable security products, overwrite system components, corrupt the operating system or perform malicious operations unimpeded,” SentinelOne senior security researcher Kasif Dekel said in a report published on Tuesday.

Infosec Insiders Newsletter

SentinelOne traced the vulnerabilities to two drivers that are responsible for USB redirection – “wspvuhub.sys” and “wspusbfilter.sys” – that could lead to a buffer overflow that allows an attacker to jack up privileges so as to execute arbitrary code in the kernel.

Buffer overflow scenario. Source: SentineOne.

“An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege,” SentinelOne noted. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”

Not Yet Seen in the Wild

The cybersecurity firm hasn’t detected in-the-wild use of the vulnerabilities, of which there are dozens.

The firm reported the flaws last quarter to the appropriate vendors, and they’ve since been fixed. The full list of affected products includes Amazon Nimble Studio AMI, Amazon NICE DCV, Amazon WorkSpaces, Amazon AppStream, NoMachine, Accops HyWorks, Accops HyWorks DVM Tools, Eltima USB Network Gate, Amzetta zPortal Windows zClient, Amzetta zPortal DVM Tools, FlexiHub and Donglify.

Some of the updates are automatically applied, while others require customers to take action. The vendors’ responses:

SentinelOne’s post also includes instructions on a manual update that’s necessary on AWS for users that have either maintenance turned off or AlwaysOn WorkSpaces with OS updates turned off.

SentinelOne also recommends “revoking any privileged credentials deployed to the platform before the cloud platforms have been patched and checking access logs for irregularities.”

The Tip of the Iceberg

Other cloud services using the same libraries are probably affected as well, according to SentinelOne’s advisory: “While we have confirmed these vulnerabilities for AWS, NoMachine and Accops, our testing was limited in scope to these vendors, and we believe it is highly likely other cloud providers using the same libraries would be vulnerable,” the firm said.

As well, given that SentinelOne hasn’t tested both client side and server side vulnerabilities in the products it did check out, there could be yet more vulnerabilities in the analyzed vendors’ products.

Code Flaws Ripple Through the Supply Chain

The security holes, which are also found in Eltima SDK-derived products and proprietary variants, have been “unwittingly inherited by cloud customers,” Dekel wrote.

SentinelOne pointed out that vulnerabilities in third-party code such as the ones found in Eltima’s SDK could spread far and wide, potentially endangering “huge” numbers of products, systems and, ultimately, users: everything and everybody downstream in the cloud supply chain.

Recent instances of the code supply-chain vulnerabilities have included four Microsoft zero-days in the Azure cloud platform’s Open Management Infrastructure (OMI) – a software that many don’t even realize is embedded in a host of services – that showed up in September. Dubbed “OMIGOD” both for the infrastructure’s name and because that’s how researchers reacted when they discovered them, the weaknesses demonstrated a massive security blind spot.

Another example showed up in June, when cryptominer code bombs showed up in the Python Package Index (PyPI): a code repository created in the Python programming language.

SentinelOne pointed to the pandemic-fueled need to adopt new work models to support work-from-home (WFH) staff as adding an edge to these kinds of disclosures: “This required organizations to make use of various solutions that allow WFH employees to securely access their organization’s assets and resources.”

The result has been a booming market for WFH products, but security “has not necessarily evolved accordingly,” the advisory said.

Image courtesy of Blue Coat Photos. Licensing details.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles