AWS Among 12 Cloud Services Affected by Flaws in Eltima SDK

Flaws in Eltima SDK

The flaws, which could enable attackers to disable security and gain kernel-level privileges, affect Amazon WorkSpaces and other cloud services that use USB over Ethernet.

Researchers have found a number of high-security vulnerabilities in a library created by network virtualization firm Eltima, that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks.

That includes Amazon WorkSpaces, Accops and NoMachine, among others: all apps that enable remote desktop access by using the Eltima software development kit (SDK) to enable the company’s “USB Over Ethernet” product. USB Over Ethernet enables sharing of multiple USB devices over Ethernet, so that users can connect to devices such as webcams on remote machines anywhere in the world as if the devices were physically plugged into their own computers.

The flaws are in the USB Over Ethernet function of the Eltima SDK, not in the cloud services themselves, but because of code-sharing between the server side and the end user apps, they affect both clients – such as laptops and desktops running Amazon WorkSpaces software – and cloud-based machine instances that rely on services such as Amazon Nimble Studio AMI, that run in the Amazon cloud.

The flaws allow attackers to escalate privileges so that they can launch a slew of malicious actions, including to kick the knees off the very security products that users depend on for protection. Specifically, the vulnerabilities can be used to “disable security products, overwrite system components, corrupt the operating system or perform malicious operations unimpeded,” SentinelOne senior security researcher Kasif Dekel said in a report published on Tuesday.

SentinelOne traced the vulnerabilities to two drivers that are responsible for USB redirection – “wspvuhub.sys” and “wspusbfilter.sys” – that could lead to a buffer overflow that allows an attacker to jack up privileges so as to execute arbitrary code in the kernel.

“An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege,” SentinelOne noted. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”

Not Yet Seen in the Wild
The cybersecurity firm hasn’t detected in-the-wild use of the vulnerabilities, of which there are dozens.

The firm reported the flaws last quarter to the appropriate vendors, and they’ve since been fixed. The full list of affected products includes Amazon Nimble Studio AMI, Amazon NICE DCV, Amazon WorkSpaces, Amazon AppStream, NoMachine, Accops HyWorks, Accops HyWorks DVM Tools, Eltima USB Network Gate, Amzetta zPortal Windows zClient, Amzetta zPortal DVM Tools, FlexiHub and Donglify.

Read more at: