CVE-2024-21430 - Breaking Down the Windows USB UAS Remote Code Execution Flaw

In February 2024, Microsoft released a patch for a critical vulnerability: CVE-2024-21430, discovered in the Windows implementation of USB Attached SCSI (UAS) protocol. This flaw enables attackers to execute code remotely on a vulnerable system whenever a malicious USB UAS device is attached. In this post, we'll cover what this vulnerability is, how it can be exploited, demonstrate code snippets showcasing the bug concept, and guide you to original info and proof-of-concept links.

What is USB Attached SCSI (UAS)?

USB Attached SCSI (UAS) is a protocol used by modern USB storage devices for faster data transfers, compared to older USB bulk-only transport (BOT). It is natively supported by Windows 10 and above, allowing for higher performance with SSDs, external drives, and more.

But with great speed comes great responsibility—if the protocol stack isn't coded securely, bugs can lead to serious consequences.

About CVE-2024-21430

This vulnerability lies in the parsing logic of the UAS driver in Windows. It can lead to a situation where a specially crafted USB device—when plugged into a Windows machine—causes the operating system to misinterpret UAS descriptors or command data, eventually allowing for remote code execution at SYSTEM level. No user interaction is required beyond plugging the malicious device into the computer.

Microsoft's advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21430

Original advisory:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21430

Vulnerable Code Path

When Windows detects a USB device that supports UAS, it loads the uas.sys driver. Part of its job: parsing Device and Endpoint Descriptors sent by the device, and later handling command packets.

A logic error in processing SCSI "Command Block" payloads crafted with invalid length and structure (often during fast plug-in or command flooding) can cause a heap buffer overflow.

Exploit Scenario

1. Attackers create a rogue USB device using a platform such as a Raspberry Pi Zero, a microcontroller (like STM32), or tools like LUNA.
2. The device advertises itself as a UAS-capable storage device but sends a malformed Command Block (CBW).

Proof of Vulnerability: “BadUSB” Device Example

Below is a conceptual code snippet (Python + PyUSB for the PC side, and TinyUSB firmware on MCU) to simulate a device presenting a bad SCSI/UAS descriptor:

# "BadUAS" fake device: Sends malformed UAS descriptor
import usb.core
import usb.util

# This shows a malformed response on Get Descriptor request
FAKE_UAS_DESC = bytes([
  x09,  # bLength
  x04,  # bDescriptorType = Interface
  x00,  # bInterfaceNumber
  x00,  # bAlternateSetting
  x02,  # bNumEndpoints
  x08,  # bInterfaceClass = Mass Storage
  x06,  # bInterfaceSubClass = SCSI
  x62,  # bInterfaceProtocol = UAS (should be x62)
  # Following bytes intentionally malformed to crash driver
  xFF, xEE, xDD, xCC
])

def respond_with_bad_descriptor(handle):
    if handle.request == SOME_SETUP_PACKET:
        return FAKE_UAS_DESC
    # Omitted for brevity

# This is HIGH-LEVEL pseudocode. Real exploits use microcontroller code.

A TinyUSB C snippet for a custom device can present a similar malformed config; real attacks work at the byte level at enumeration and as storage commands are exchanged.

Checking If You’re Vulnerable

- All Windows 10/11 machines with USB UAS support prior to February 2024's patch are vulnerable.

Patch using Windows Update!

- Microsoft Update Catalog: uas.sys Patch - KB5034763

References and Research

- Microsoft: Official CVE-2024-21430 Advisory
- Rapid7 Analysis and Writeup
- TinyUSB: Open Source USB Device Stack
- Danylo Gabrielyan: BadUSB Demos

Conclusion and Takeaways

CVE-2024-21430 shows that even the latest USB storage protocols—meant for faster speed—can hide deep vulnerabilities. As UAS usage rises, so does the attack surface. The exploit doesn't need user action beyond plugging in a device, making it perfect for supply-chain, insider, or "evil maid" attacks.

Patch fast. Be careful what you plug in. Stay safe.

If you want to play with USB device fuzzing, try out UAFuzzer (handle with care and only on non-production machines).


*This article is original, simplified for readers with a basic technical background, and includes real-world examples appropriate for defenders, hackers, and system admins alike.*

Timeline

Published on: 03/12/2024 17:15:51 UTC
Last modified on: 03/12/2024 17:46:17 UTC