CVE-2021-42687
📋 TL;DR
This is a local privilege escalation vulnerability in Accops HyWorks Windows Client where attackers can exploit a buffer overflow in the IOCTL Handler 0x22005B. Successful exploitation allows arbitrary code execution in kernel mode or denial of service via memory corruption. Only affects systems running vulnerable versions of Accops HyWorks Windows Client.
💻 Affected Systems
- Accops HyWorks Windows Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level code execution leading to persistent backdoors, data theft, or ransomware deployment across the network.
Likely Case
Local privilege escalation from standard user to SYSTEM/administrator privileges, enabling lateral movement and persistence establishment.
If Mitigated
Limited to denial of service (system crash) if exploit fails or security controls prevent full code execution.
🎯 Exploit Status
Exploit requires local access but is relatively straightforward once initial access is obtained. The vulnerability is in a widely used component across major cloud platforms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8.200 and later
Vendor Advisory: https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/
Restart Required: Yes
Instructions:
1. Download HyWorks Windows Client version 3.2.8.200 or later from official vendor sources. 2. Uninstall previous vulnerable version. 3. Install updated version. 4. Restart system to ensure changes take effect.
🔧 Temporary Workarounds
Disable vulnerable IOCTL handler
windowsRestrict access to the vulnerable IOCTL 0x22005B through registry modifications or security policies
reg add "HKLM\SYSTEM\CurrentControlSet\Services\HyWorks\Parameters" /v "BlockIOCTL" /t REG_DWORD /d 0x22005B /f
Remove or disable HyWorks service
windowsTemporarily disable the vulnerable service if USB-over-Ethernet functionality is not required
sc stop HyWorks
sc config HyWorks start= disabled
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit initial compromise opportunities
- Deploy application whitelisting to prevent unauthorized code execution even if privilege escalation occurs
🔍 How to Verify
Check if Vulnerable:
Check HyWorks version: Open Control Panel > Programs and Features, look for 'Accops HyWorks Windows Client' and verify version is below 3.2.8.200Check Version:
wmic product where "name like 'Accops HyWorks%'" get versionVerify Fix Applied:
Confirm installed version is 3.2.8.200 or higher in Control Panel > Programs and Features📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from HyWorks service
- Access attempts to IOCTL 0x22005B in system logs
- Kernel memory corruption events in Windows Event Logs
Network Indicators:
- Unusual outbound connections from systems running HyWorks client
SIEM Query:
EventID=4688 AND (NewProcessName="*HyWorks*" OR ParentProcessName="*HyWorks*") | stats count by Computer, NewProcessName