Researchers uncovered multiple severe vulnerabilities in Realtek SDK That affects nearly a million IoT devices, travel routers, Wi-Fi repeaters, IP camera, smart lights and more.
Successful exploitation of these vulnerabilities allows attackers to fully compromise the target IoT devices and gain high-level privilege by executing the arbitrary code remotely.
Realtek chipsets are used in various embedded devices in IoT environments and RTL8xxx SoCs are providing wireless capabilities and support binaries that contain more than a dozen vulnerabilities such as command injection to memory corruption.
Identified vulnerabilities are affects the different components such as UPnP & SSDP WiFi Simple Config, MP Daemon, and management web interfaces.
Researchers from IoT Inspector revealed that at least 65 different affected vendors with close to 200 unique fingerprints with the help of shodan, and the vendors who have misconfigured their devices which helps researchers to found these vulnerabilities.
Therse are several version of the Realtek chipsets are vulnerable as follows:-
CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The vulnerabilities are affected by the different Realtek components including UPnP vulnerabilities, Web Management Interface vulnerabilities, and UDPServer Vulnerabilities.
There are two vulnerabilities (CVE-2021-35392) that affect the UPnP that is used by Realtek Jungle SDK version v2.x up to v3.4.14B, and it was uncovered in the following binaries used by UPnP.
Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header CVE-2021-35392 – This vulnerability affects the virtual light device with a power switching IoT. A successful attack will allow attackers to inject the reverse shell on the target device and run an arbitrary code.
Heap Buffer Overflow via SSDP ST field (CVE-2021-35393) – Another UPnP focused vulnerability in SSDP ( Simple Service Discovery Protocol ) ST field Allows attackers to spray heap.
Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd.
“The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.”
There are two versions used by Realtek stock web management interface binary GoAhead-webs (/bin/webs
), the other is Boa (/bin/boa
).
Both are affected by the command injection and buffer overflows vulnerabilities(CVE-2021-35395) of following:-
The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.
Researchers uncovered a Command Injection vulnerabiilties (CVE-2021-35394) in UDPServer For each identified firmware image with a UDPserver
binary, manual analysis is required to confirm.
The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients
Here the following affected vulnerabilities.
“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.” Researchers said.
Realtek released a complete advisory and fixed the vulnerabilities.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…