CVE-2021-42685 – This integer overflow vulnerability in Accops H... (How to Fix)

Q: What is the severity of CVE-2021-42685?

CVE-2021-42685 has a CVSS score of 8.8 (HIGH). This integer overflow vulnerability in Accops HyWorks DVM Tools allows local attackers to execute arbitrary code with kernel privileges or crash the operating system via specially crafted I/O request packets. It affects systems running HyWorks DVM Tools versions prior to 3.3.1.105, primarily impacting cloud environments using USB-over-Ethernet functionality.

📋 TL;DR

This integer overflow vulnerability in Accops HyWorks DVM Tools allows local attackers to execute arbitrary code with kernel privileges or crash the operating system via specially crafted I/O request packets. It affects systems running HyWorks DVM Tools versions prior to 3.3.1.105, primarily impacting cloud environments using USB-over-Ethernet functionality.

💻 Affected Systems

Products:

Accops HyWorks DVM Tools

Versions: All versions prior to 3.3.1.105

Operating Systems: Windows (based on IOCTL handler vulnerability)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using USB-over-Ethernet functionality, particularly in AWS and other cloud environments as referenced in the advisory.

📦 What is this software?

Hyworks Dvm Tools by Accops

View all CVEs affecting Hyworks Dvm Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-mode arbitrary code execution leading to full administrative control, data theft, or permanent system damage.

🟠

Likely Case

Privilege escalation from local user to SYSTEM/kernel privileges, enabling persistence, lateral movement, and installation of malware.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and monitoring detects unusual kernel activity.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Any authenticated local user can potentially exploit this to gain kernel privileges and compromise the entire system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of IOCTL 0x22005B manipulation. The vulnerability is well-documented with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.1.105

Vendor Advisory: https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/

Restart Required: Yes

Instructions:

1. Download HyWorks DVM Tools version 3.3.1.105 or later from Accops. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart the system.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit local user accounts to only essential personnel and implement least privilege principles.

Disable USB-over-Ethernet functionality

windows

If not required, disable the HyWorks DVM Tools service or USB-over-Ethernet features.

sc stop "HyWorks DVM Service"
sc config "HyWorks DVM Service" start= disabled

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts and monitor for privilege escalation attempts.
Deploy endpoint detection and response (EDR) solutions to detect and block kernel-mode exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check HyWorks DVM Tools version in Control Panel > Programs and Features or via 'wmic product get name,version' command.

Check Version:

wmic product where "name like '%HyWorks%'" get name,version

Verify Fix Applied:

Verify installed version is 3.3.1.105 or later and check that the HyWorks DVM Service is running without errors.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected kernel-mode driver activity
Security logs showing privilege escalation from standard user to SYSTEM

Network Indicators:

Unusual outbound connections from system processes post-exploitation

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%cmd.exe%' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938

📊 Metadata

CVE ID: CVE-2021-42685

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-190

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42685, you might also want to check these: