USB for Remote Desktop software by Fabula has a critical CVE-2020-9332 vulnerability that allows privilege escalation
Researchers from SentinelOne have discovered an unpatched vulnerability in the USB for Remote Desktop software which can be used by potential hackers to add fake devices and get elevated privileges.
According to a report published by SentinelOne, the unpatched vulnerability in USB for Remote Desktop software made by FabulaTech redirects local USB devices to a remote system. This could allow potential hackers to elevate privileges on a targeted PC/laptop/server by adding fake devices. The researchers have given the bug a unique identifier, CVE-2020-9332.
The researchers say that flaw resides in the bus driver for “USB for Remote Desktop” developed by FabulaTech. USB for Remote Desktop made by FabulaTech retails for around $199 a pop and has many big-ticket clients like Google, Microsoft, Texas Instruments, BMW, MasterCard, NASA, Reuters, Intel, etc.
FabulaTech installs a bus driver as part of its “USB for Remote Desktop” software product. SentinelOne researchers found that a flaw in the bus driver allows low privileged users to add a fully controlled software USB device, which could be used by an attacker to elevate privileges under certain common circumstances.
Since the USB for Remote Desktop software is used by many clients, this could mean that hackers can gain access to their systems using this bug. SentinelOne says that they have reached out to FabulaTech but the company has not issued any patch for the bug so far.
Unfortunately, the vendor did not acknowledge the vulnerability. We tried to contact the vendor via email on Jan 29, 2020 and Feb 4, 2020; however, we received no response. We also posted a message to the FabulaTech forum, but the message was deleted by administrators. To reduce the possible security impact from CVE-2020-9332, we recommend refraining from using USB for Remote Desktop until the vendor addresses the issue. We will update the post if the flaw gets fixed.
The current version of USB for Remote Desktop software by FabulaTech is version 6.0 for Windows (released on November 22, 2019) and version 5.2.29 for Linux (released on May 8, 2018). If you use any of these two products, the SentinelOne researchers recommend you remove them till FabulaTech patches them.