Thursday, March 28, 2024

Severe Vulnerabilities in Realtek SDK Affects Around Millions of IoT Devices

Researchers uncovered multiple severe vulnerabilities in Realtek SDK That affects nearly a million IoT devices, travel routers, Wi-Fi repeaters, IP camera, smart lights and more.

Successful exploitation of these vulnerabilities allows attackers to fully compromise the target IoT devices and gain high-level privilege by executing the arbitrary code remotely.

Realtek chipsets are used in various embedded devices in IoT environments and  RTL8xxx SoCs are providing wireless capabilities and support binaries that contain more than a dozen vulnerabilities such as command injection to memory corruption.

Identified vulnerabilities are affects the different components such as UPnP & SSDP WiFi Simple Config, MP Daemon, and management web interfaces.

Researchers from IoT Inspector revealed that at least 65 different affected vendors with close to 200 unique fingerprints with the help of shodan, and the vendors who have misconfigured their devices which helps researchers to found these vulnerabilities.

Therse are several version of the Realtek chipsets are vulnerable as follows:-

  • Realtek SDK v2.x
  • Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT
  • Realtek “Luna” SDK up to version 1.3.2

CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Realtek Vulnerability Analysis

The vulnerabilities are affected by the different Realtek components including UPnP vulnerabilities, Web Management Interface vulnerabilities, and UDPServer Vulnerabilities.

UPnP vulnerbilities:

There are two vulnerabilities (CVE-2021-35392) that affect the UPnP that is used by Realtek Jungle SDK version v2.x up to v3.4.14B, and it was uncovered in the following binaries used by UPnP.

  • mini_upnpd: seems to be only handling SSDP packets and does not expose a UPnP HTTP interface. For every firmware image we identified to contain a mini_upnpd binary, wscd was also present.
  • wscd: aka ‘Realtek WiFi Simple-Config Daemon’, implements both SSDP packet handling and a UPnP HTTP interface.

Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header CVE-2021-35392  This vulnerability affects the virtual light device with a power switching IoT. A successful attack will allow attackers to inject the reverse shell on the target device and run an arbitrary code.

Heap Buffer Overflow via SSDP ST field (CVE-2021-35393) – Another UPnP focused vulnerability in SSDP ( Simple Service Discovery Protocol ) ST field Allows attackers to spray heap.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd.

“The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.”

Vulnerabilities in Web Management Interface

There are two versions used by Realtek stock web management interface binary GoAhead-webs (/bin/webs), the other is Boa (/bin/boa).

Both are affected by the command injection and buffer overflows vulnerabilities(CVE-2021-35395) of following:-

  • Stack Buffer Overflow via formRebootCheck’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s submit-url query parameter
  • Stack Buffer Overflow via formWlSiteSurvey’s ifname query parameter
  • Arbitrary Command Execution in formSysCmd
  • Command Injection via formWsc’s peerPin query parameter
  • Stack Buffer Overflow via formStaticDHCP’s hostname query parameter
  • Stack Buffer Overflow via formWlanMultipleAP’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s peerPin query parameter

The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Vulnerabilities in UDPServer

Researchers uncovered a Command Injection vulnerabiilties (CVE-2021-35394) in UDPServer For each identified firmware image with a UDPserver binary, manual analysis is required to confirm.

The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients

Here the following affected vulnerabilities.

  • Command Injection via UDPServer protocol
  • Static Buffer Overflow via UDPServer protocol

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.” Researchers said.

Realtek released a complete advisory and fixed the vulnerabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles