Jump to content

Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands...


David H. Lipman
 Share

Recommended Posts

Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain

 

Quote

At least 65 vendors affected by severe vulnerabilities that enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. 

Overview

Over the course of a research project focusing on a specific cable modem, we identified that the system was using a dual-SoC design. The main SoC was running a Linux system, while the second SoC – a dedicated Realtek RTL819xD chipset implementing all the access point functions – was found to be running another, stripped-down Linux system from Realtek.

Realtek chipsets are found in many embedded devices in the IoT space. RTL8xxx SoCs – which provide wireless capabilities – are very common. We therefore decided to spend time identifying binaries running on the RTL819xD on our target device, which expose services over the network and are provided by Realtek themselves. Such binaries are packaged as part of the Realtek SDK, which is developed by Realtek and provided to vendors and manufacturers who use the RTL8xxx SoCs.

Supported by IoT Inspector’s firmware analysis platform, we performed vulnerability research on those binaries and identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP (management web interface), and a custom network service from Realtek.

By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege.

We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the Internet. Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, Wi-Fi repeaters, IP cameras to smart lightning gateways or even connected toys.

Affected vendor & product

 

Vendor Advisory

 

 

Realtek SDK (www.realtek.com)

https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en
https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf

Vulnerable version Realtek SDK v2.x
Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT
Realtek “Luna” SDK up to version 1.3.2
Fixed version Realtek SDK branch 2.x: no longer supported by Realtek.
Realtek “Jungle” SDK: patches will be provided by Realtek and needs to be backported.
Realtek “Luna” SDK: version 1.3.2a contains fixes.
CVE IDs CVE-2021-35392 (‘WiFi Simple Config’ stack buffer overflow via UPnP)
CVE-2021-35393 (‘WiFi Simple Config’ heap buffer overflow via SSDP)
CVE-2021-35394 (MP Daemon diagnostic tool command injection)
CVE-2021-35395 (management web interface multiple vulnerabilities)
Impact CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit Q. Kaiser, IoT Inspector Research Lab

 

EDIT:

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/

 

Edited by David H. Lipman
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.