CVE-2021-42994 – CVE-2021-42994 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-42994?

CVE-2021-42994 has a CVSS score of 8.8 (HIGH). CVE-2021-42994 is a buffer overflow vulnerability in Donglify's IOCTL handler that allows local attackers to execute arbitrary code with kernel privileges or cause denial of service via memory corruption. This affects systems running vulnerable versions of Donglify software, primarily in cloud environments using USB-over-Ethernet functionality. Attackers need local access to exploit this vulnerability.

📋 TL;DR

CVE-2021-42994 is a buffer overflow vulnerability in Donglify's IOCTL handler that allows local attackers to execute arbitrary code with kernel privileges or cause denial of service via memory corruption. This affects systems running vulnerable versions of Donglify software, primarily in cloud environments using USB-over-Ethernet functionality. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Donglify
USB-over-Ethernet software

Versions: Above 1.0.12309, below 1.7.14110

Operating Systems: Windows, Linux systems running affected Donglify versions

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects cloud environments and systems using USB-over-Ethernet functionality for remote USB device access.

📦 What is this software?

Donglify by Donglify

View all CVEs affecting Donglify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-mode arbitrary code execution leading to full administrative control, data theft, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM/root privileges, enabling lateral movement and installation of malware.

🟢

If Mitigated

Limited impact if proper access controls prevent local user access to vulnerable systems or if vulnerable software is not installed.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local system access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (even as low-privilege user), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is relatively straightforward once local access is obtained. The vulnerability is in a documented IOCTL handler with known buffer overflow patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.14110 and later

Vendor Advisory: https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/

Restart Required: Yes

Instructions:

1. Download latest Donglify version from official vendor site. 2. Uninstall current vulnerable version. 3. Install patched version 1.7.14110 or later. 4. Restart system to ensure kernel driver updates take effect.

🔧 Temporary Workarounds

Remove Donglify software

all

Uninstall Donglify completely if USB-over-Ethernet functionality is not required

Control Panel > Programs > Uninstall Donglify
sudo apt remove donglify (Linux)
sudo yum remove donglify (Linux)

Restrict IOCTL access

windows

Use application control policies to restrict access to vulnerable IOCTL codes

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized local user access to affected systems
Use application whitelisting to prevent execution of potential exploit code

🔍 How to Verify

Check if Vulnerable:

Check Donglify version: Windows - Check Programs and Features; Linux - Check package version. Verify version is between 1.0.12309 and 1.7.14110.

Check Version:

Windows: wmic product where name='Donglify' get version | Linux: donglify --version or rpm -q donglify

Verify Fix Applied:

Confirm Donglify version is 1.7.14110 or later. Test that USB-over-Ethernet functionality still works properly.

📡 Detection & Monitoring

Log Indicators:

Unusual IOCTL calls to device driver
Processes spawning with SYSTEM privileges from user accounts
Crash dumps from kernel mode

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName='*' AND ParentProcessName='*' AND SubjectUserName!='SYSTEM' AND TokenElevationType='%%1938'

📊 Metadata

CVE ID: CVE-2021-42994

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42994, you might also want to check these: