CVE-2021-42976 – A buffer overflow vulnerability in NoMachine En... (How to Fix)

Q: What is the severity of CVE-2021-42976?

CVE-2021-42976 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in NoMachine Enterprise Desktop allows local attackers to execute arbitrary code with kernel privileges or cause denial of service via memory corruption. This affects users running NoMachine Enterprise Desktop versions 4.0.346 through 7.7.4. Attackers need local access to exploit this vulnerability.

📋 TL;DR

A buffer overflow vulnerability in NoMachine Enterprise Desktop allows local attackers to execute arbitrary code with kernel privileges or cause denial of service via memory corruption. This affects users running NoMachine Enterprise Desktop versions 4.0.346 through 7.7.4. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

NoMachine Enterprise Desktop

Versions: Above 4.0.346 and below 7.7.4

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. The vulnerability is in the IOCTL handler for USB-over-Ethernet functionality.

📦 What is this software?

Enterprise Desktop by Nomachine

View all CVEs affecting Enterprise Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-mode arbitrary code execution leading to full administrative control, data theft, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation from a standard user to SYSTEM/root level, enabling lateral movement, credential harvesting, and installation of additional malware.

🟢

If Mitigated

Limited impact if proper access controls prevent local attackers from reaching vulnerable systems, though denial of service could still occur.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local system access to exploit.

🏢 Internal Only: HIGH - Internal attackers with standard user access can escalate to kernel privileges, posing significant risk in multi-user environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of IOCTL manipulation. The vulnerability is in a widely used component that could be targeted by sophisticated attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.7.4 and later

Vendor Advisory: https://www.nomachine.com/

Restart Required: Yes

Instructions:

1. Download NoMachine Enterprise Desktop version 7.7.4 or later from the official website. 2. Install the update following standard installation procedures. 3. Restart the system to ensure all components are properly loaded.

🔧 Temporary Workarounds

Disable USB-over-Ethernet functionality

all

Remove or restrict access to the vulnerable IOCTL handler by disabling USB-over-Ethernet features

Specific commands depend on OS and configuration - consult NoMachine documentation

Restrict local user access

all

Implement strict access controls to prevent untrusted users from accessing systems running NoMachine

🧯 If You Can't Patch

Implement strict principle of least privilege and limit local user access to vulnerable systems
Monitor for unusual process creation or privilege escalation attempts using endpoint detection tools

🔍 How to Verify

Check if Vulnerable:

Check NoMachine version via the application interface or by examining installed software version. Vulnerable if version is between 4.0.346 and 7.7.4.

Check Version:

On Windows: Check Programs and Features. On Linux: 'nomachine --version' or check package manager. On macOS: Check About NoMachine in application menu.

Verify Fix Applied:

Verify NoMachine version is 7.7.4 or later through the application interface or system software inventory.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with SYSTEM privileges
Failed attempts to access restricted kernel memory areas
Crash logs from NoMachine service

Network Indicators:

Unusual local network traffic from NoMachine processes
Attempts to access USB-over-Ethernet components

SIEM Query:

Process Creation where Parent Process contains 'nomachine' AND Integrity Level changes to SYSTEM

📊 Metadata

CVE ID: CVE-2021-42976

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42976, you might also want to check these: