FabulaTech is a software provider which offers an array of products designed to facilitate remote endpoint connectivity for businesses. One such function, “USB for Remote Desktop,” works by redirecting USB devices (up to and including 3.0) to remote sessions over Microsoft RDP, Teradici PCoIP, or Citrix ICA Protocols. This can be handy for data transfer or adding functionality offered by USB devices to remote sessions, especially in this current era of work from home employment for the majority of information-based employees.
A vulnerability in the software has been found which involves the bus driver used in this function to permit users without administrative rights to add a fully controlled software USB device; sort of a virtual entity on the destination host. This local driver, which starts when the operating system on the source system boots, can be compromised by an attacker and used to elevate privileges under certain common circumstances. Worse, this type of vulnerability may also exist in other products.
SEE: Network security policy (TechRepublic Premium)
The crux of the issue is that the driver permits unprivileged users to add the virtual USB device. This illustrates the difficult line between security and functionality. Too much of one (or at least too much applied haphazardly) will always impede the other.
The problem with taking vulnerabilities of this nature seriously (both by system administrators and end users) is that often the descriptions of what could happen during an exploit are too vague, hypothetical or otherwise not subjective enough. A specific potential risk here could involve adding USB devices that can be used to directly manipulate applications on the host, such as keyboards or mice, which can enter information to harvest data or permit the execution or malicious code. Another example might entail invoking a network-based USB device to carry out internal or external attacks. These incidents could occur with no warning or evidence provided to the user.
Microsoft provides some useful tips to programmers as to how to appropriately utilize security descriptors when coding drivers. Appropriate security descriptors such as the WdmlibIoCreateDeviceSecure or WdfDeviceInitAssignSDDLString routines can allow a service running under a high-privileged account to handle such operations and not the low privileged accounts.
The vulnerability was reported to the vendor and submitted to MITRE, receiving the ID of CVE-2020-9332. It should be noted that the precise details as to how the vulnerability is triggered are being kept confidential since there is at present no patch for this flaw. As a result, users of FabulaTech products are advised not to utilize USB for Remote Desktop, or at the very least not to do so on systems which contain or access confidential or security sensitive applications or data.
While at the moment there is a dearth of information related to a potential fix, FabulaTech customers are advised to periodically check for CVE-2002-9332 via Google to see if there are any updates, patches or further advisories.