Severe Vulnerabilities in  Realtek SDK Affects Around Millions of IoT Devices

Researchers uncovered multiple severe vulnerabilities in Realtek SDK That affects nearly a million IoT devices, travel routers, Wi-Fi repeaters, IP camera, smart lights and more.

Successful exploitation of these vulnerabilities allows attackers to fully compromise the target IoT devices and gain high-level privilege by executing the arbitrary code remotely.

Realtek chipsets are used in various embedded devices in IoT environments and  RTL8xxx SoCs are providing wireless capabilities and support binaries that contain more than a dozen vulnerabilities such as command injection to memory corruption.

Identified vulnerabilities are affects the different components such as UPnP & SSDP WiFi Simple Config, MP Daemon, and management web interfaces.

Researchers from IoT Inspector revealed that at least 65 different affected vendors with close to 200 unique fingerprints with the help of shodan, and the vendors who have misconfigured their devices which helps researchers to found these vulnerabilities.

Therse are several version of the Realtek chipsets are vulnerable as follows:-

  • Realtek SDK v2.x
  • Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT
  • Realtek “Luna” SDK up to version 1.3.2

CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Realtek Vulnerability Analysis

The vulnerabilities are affected by the different Realtek components including UPnP vulnerabilities, Web Management Interface vulnerabilities, and UDPServer Vulnerabilities.

UPnP vulnerbilities:

There are two vulnerabilities (CVE-2021-35392) that affect the UPnP that is used by Realtek Jungle SDK version v2.x up to v3.4.14B, and it was uncovered in the following binaries used by UPnP.

  • mini_upnpd: seems to be only handling SSDP packets and does not expose a UPnP HTTP interface. For every firmware image we identified to contain a mini_upnpd binary, wscd was also present.
  • wscd: aka ‘Realtek WiFi Simple-Config Daemon’, implements both SSDP packet handling and a UPnP HTTP interface.

Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header CVE-2021-35392  This vulnerability affects the virtual light device with a power switching IoT. A successful attack will allow attackers to inject the reverse shell on the target device and run an arbitrary code.

Heap Buffer Overflow via SSDP ST field (CVE-2021-35393) – Another UPnP focused vulnerability in SSDP ( Simple Service Discovery Protocol ) ST field Allows attackers to spray heap.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd.

“The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.”

Vulnerabilities in Web Management Interface

There are two versions used by Realtek stock web management interface binary GoAhead-webs (/bin/webs), the other is Boa (/bin/boa).

Both are affected by the command injection and buffer overflows vulnerabilities(CVE-2021-35395) of following:-

  • Stack Buffer Overflow via formRebootCheck’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s submit-url query parameter
  • Stack Buffer Overflow via formWlSiteSurvey’s ifname query parameter
  • Arbitrary Command Execution in formSysCmd
  • Command Injection via formWsc’s peerPin query parameter
  • Stack Buffer Overflow via formStaticDHCP’s hostname query parameter
  • Stack Buffer Overflow via formWlanMultipleAP’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s peerPin query parameter

The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Vulnerabilities in UDPServer

Researchers uncovered a Command Injection vulnerabiilties (CVE-2021-35394) in UDPServer For each identified firmware image with a UDPserver binary, manual analysis is required to confirm.

The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients

Here the following affected vulnerabilities.

  • Command Injection via UDPServer protocol
  • Static Buffer Overflow via UDPServer protocol

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.” Researchers said.

Realtek released a complete advisory and fixed the vulnerabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply