CVE-2021-42987 – CVE-2021-42987 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-42987?

CVE-2021-42987 has a CVSS score of 8.8 (HIGH). CVE-2021-42987 is an integer overflow vulnerability in Eltima USB Network Gate's IOCTL handler that allows local attackers to execute arbitrary code with kernel privileges or cause denial of service through memory corruption. This affects users of USB Network Gate versions 7.0.1370 through 9.2.2420. Attackers can exploit this to gain complete system control or crash the operating system.

📋 TL;DR

CVE-2021-42987 is an integer overflow vulnerability in Eltima USB Network Gate's IOCTL handler that allows local attackers to execute arbitrary code with kernel privileges or cause denial of service through memory corruption. This affects users of USB Network Gate versions 7.0.1370 through 9.2.2420. Attackers can exploit this to gain complete system control or crash the operating system.

💻 Affected Systems

Products:

Eltima USB Network Gate

Versions: Versions above 7.0.1370 and below 9.2.2420

Operating Systems: Windows, Linux, macOS (where USB Network Gate is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations within the vulnerable version range regardless of configuration.

📦 What is this software?

Usb Network Gate by Eltima

View all CVEs affecting Usb Network Gate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-mode arbitrary code execution leading to full administrative control, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM/root privileges, enabling lateral movement and persistence establishment.

🟢

If Mitigated

Limited impact if proper access controls prevent local user access or if vulnerable software is not installed.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers or compromised user accounts can exploit this for privilege escalation within the environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but the vulnerability is in a commonly used driver with public technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 9.2.2420 and later

Vendor Advisory: https://www.eltima.com/security-advisory/

Restart Required: Yes

Instructions:

1. Download latest version from Eltima website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict driver access

all

Limit access to the vulnerable driver using Windows security policies or Linux permissions

Windows: icacls "C:\Program Files\Eltima Software\USB Network Gate\*" /deny Users:(RX)
Linux: chmod 750 /usr/local/bin/usbgate

Disable vulnerable service

all

Stop and disable the USB Network Gate service if not required

Windows: sc stop "USB Network Gate" && sc config "USB Network Gate" start= disabled
Linux: systemctl stop usbgate && systemctl disable usbgate

🧯 If You Can't Patch

Remove USB Network Gate software completely if not essential
Implement strict local access controls and monitor for suspicious driver activity

🔍 How to Verify

Check if Vulnerable:

Check installed version of USB Network Gate against vulnerable range 7.0.1370-9.2.2420

Check Version:

Windows: "C:\Program Files\Eltima Software\USB Network Gate\usbgate.exe" --version | Linux: usbgate --version | macOS: /Applications/USB\ Network\ Gate.app/Contents/MacOS/usbgate --version

Verify Fix Applied:

Confirm version is 9.2.2420 or higher and verify driver files have been updated

📡 Detection & Monitoring

Log Indicators:

Unusual IOCTL requests to USB Network Gate driver
Privilege escalation attempts from standard users
Crash dumps related to usbgate.sys or similar driver files

Network Indicators:

Local system calls to vulnerable driver interface

SIEM Query:

EventID=4688 AND (ProcessName LIKE '%usbgate%' OR CommandLine LIKE '%IOCTL%22001B%')

📊 Metadata

CVE ID: CVE-2021-42987

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-190

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42987, you might also want to check these: