CVE-2021-43637: 
Homebrew vulnerability analysis and mitigation

Amazon WorkSpaces agent is affected by Buffer Overflow vulnerability (CVE-2021-43637). The vulnerability was discovered in IOCTL Handler 0x22001B in the Amazon WorkSpaces agent versions below v1.0.1.1537, allowing local attackers to execute arbitrary code in kernel mode or cause a denial of service through specially crafted I/O Request Packets. The issue was disclosed in December 2021 (SentinelOne Labs, NVD).

The vulnerability exists in the USB redirection functionality implemented through the wspvuhub.sys and wspusbfilter.sys drivers. The IOCTL handler 0x22001B contains insecure arithmetic operations on user-controlled data without overflow checks when calculating copy size, which can lead to buffer overflow. The code uses METHOD_NEITHER for buffer handling, which doesn't validate or map the supplied buffer, making it prone to exploitation. The vulnerability received a CVSS v3.1 Base Score of 8.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (SentinelOne Labs).

If successfully exploited, the vulnerability allows attackers to execute arbitrary code with kernel privileges, potentially leading to complete system compromise. Attackers could bypass security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded. The vulnerability affects both the end user (AWS WorkSpaces client) and cloud service (AWS WorkSpaces running in AWS Cloud) (SentinelOne Labs).

Amazon has released patches to address this vulnerability. Users should upgrade their Amazon WorkSpaces agent to version v1.0.1.1537 or later. For AutoStop WorkSpaces with maintenance turned off or AlwaysOn WorkSpaces with OS updates turned off, a manual update needs to be performed. Organizations are advised to revoke any privileged credentials deployed to the platform before applying patches and check access logs for irregularities (SentinelOne Labs).