Thursday, July 18, 2024
EHA

Severe Vulnerabilities in Realtek SDK Affects Around Millions of IoT Devices

Researchers uncovered multiple severe vulnerabilities in Realtek SDK That affects nearly a million IoT devices, travel routers, Wi-Fi repeaters, IP camera, smart lights and more.

Successful exploitation of these vulnerabilities allows attackers to fully compromise the target IoT devices and gain high-level privilege by executing the arbitrary code remotely.

Realtek chipsets are used in various embedded devices in IoT environments and  RTL8xxx SoCs are providing wireless capabilities and support binaries that contain more than a dozen vulnerabilities such as command injection to memory corruption.

Identified vulnerabilities are affects the different components such as UPnP & SSDP WiFi Simple Config, MP Daemon, and management web interfaces.

Researchers from IoT Inspector revealed that at least 65 different affected vendors with close to 200 unique fingerprints with the help of shodan, and the vendors who have misconfigured their devices which helps researchers to found these vulnerabilities.

Therse are several version of the Realtek chipsets are vulnerable as follows:-

  • Realtek SDK v2.x
  • Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT
  • Realtek “Luna” SDK up to version 1.3.2

CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Realtek Vulnerability Analysis

The vulnerabilities are affected by the different Realtek components including UPnP vulnerabilities, Web Management Interface vulnerabilities, and UDPServer Vulnerabilities.

UPnP vulnerbilities:

There are two vulnerabilities (CVE-2021-35392) that affect the UPnP that is used by Realtek Jungle SDK version v2.x up to v3.4.14B, and it was uncovered in the following binaries used by UPnP.

  • mini_upnpd: seems to be only handling SSDP packets and does not expose a UPnP HTTP interface. For every firmware image we identified to contain a mini_upnpd binary, wscd was also present.
  • wscd: aka ‘Realtek WiFi Simple-Config Daemon’, implements both SSDP packet handling and a UPnP HTTP interface.

Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header CVE-2021-35392  This vulnerability affects the virtual light device with a power switching IoT. A successful attack will allow attackers to inject the reverse shell on the target device and run an arbitrary code.

Heap Buffer Overflow via SSDP ST field (CVE-2021-35393) – Another UPnP focused vulnerability in SSDP ( Simple Service Discovery Protocol ) ST field Allows attackers to spray heap.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd.

“The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.”

Vulnerabilities in Web Management Interface

There are two versions used by Realtek stock web management interface binary GoAhead-webs (/bin/webs), the other is Boa (/bin/boa).

Both are affected by the command injection and buffer overflows vulnerabilities(CVE-2021-35395) of following:-

  • Stack Buffer Overflow via formRebootCheck’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s submit-url query parameter
  • Stack Buffer Overflow via formWlSiteSurvey’s ifname query parameter
  • Arbitrary Command Execution in formSysCmd
  • Command Injection via formWsc’s peerPin query parameter
  • Stack Buffer Overflow via formStaticDHCP’s hostname query parameter
  • Stack Buffer Overflow via formWlanMultipleAP’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s peerPin query parameter

The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Vulnerabilities in UDPServer

Researchers uncovered a Command Injection vulnerabiilties (CVE-2021-35394) in UDPServer For each identified firmware image with a UDPserver binary, manual analysis is required to confirm.

The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients

Here the following affected vulnerabilities.

  • Command Injection via UDPServer protocol
  • Static Buffer Overflow via UDPServer protocol

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.” Researchers said.

Realtek released a complete advisory and fixed the vulnerabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles