Severe Vulnerabilities in Realtek SDK Affects Around Millions of IoT Devices

Researchers uncovered multiple severe vulnerabilities in Realtek SDK That affects nearly a million IoT devices, travel routers, Wi-Fi repeaters, IP camera, smart lights and more.

Successful exploitation of these vulnerabilities allows attackers to fully compromise the target IoT devices and gain high-level privilege by executing the arbitrary code remotely.

Realtek chipsets are used in various embedded devices in IoT environments and  RTL8xxx SoCs are providing wireless capabilities and support binaries that contain more than a dozen vulnerabilities such as command injection to memory corruption.

Identified vulnerabilities are affects the different components such as UPnP & SSDP WiFi Simple Config, MP Daemon, and management web interfaces.

Researchers from IoT Inspector revealed that at least 65 different affected vendors with close to 200 unique fingerprints with the help of shodan, and the vendors who have misconfigured their devices which helps researchers to found these vulnerabilities.

Therse are several version of the Realtek chipsets are vulnerable as follows:-

  • Realtek SDK v2.x
  • Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT
  • Realtek “Luna” SDK up to version 1.3.2

CVE-2021-35392 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35393 – 8.1 (high) AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35394 – 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-35395- 9.8 (critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Realtek Vulnerability Analysis

The vulnerabilities are affected by the different Realtek components including UPnP vulnerabilities, Web Management Interface vulnerabilities, and UDPServer Vulnerabilities.

UPnP vulnerbilities:

There are two vulnerabilities (CVE-2021-35392) that affect the UPnP that is used by Realtek Jungle SDK version v2.x up to v3.4.14B, and it was uncovered in the following binaries used by UPnP.

  • mini_upnpd: seems to be only handling SSDP packets and does not expose a UPnP HTTP interface. For every firmware image we identified to contain a mini_upnpd binary, wscd was also present.
  • wscd: aka ‘Realtek WiFi Simple-Config Daemon’, implements both SSDP packet handling and a UPnP HTTP interface.

Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header CVE-2021-35392  This vulnerability affects the virtual light device with a power switching IoT. A successful attack will allow attackers to inject the reverse shell on the target device and run an arbitrary code.

Heap Buffer Overflow via SSDP ST field (CVE-2021-35393) – Another UPnP focused vulnerability in SSDP ( Simple Service Discovery Protocol ) ST field Allows attackers to spray heap.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd.

“The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.”

Vulnerabilities in Web Management Interface

There are two versions used by Realtek stock web management interface binary GoAhead-webs (/bin/webs), the other is Boa (/bin/boa).

Both are affected by the command injection and buffer overflows vulnerabilities(CVE-2021-35395) of following:-

  • Stack Buffer Overflow via formRebootCheck’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s submit-url query parameter
  • Stack Buffer Overflow via formWlSiteSurvey’s ifname query parameter
  • Arbitrary Command Execution in formSysCmd
  • Command Injection via formWsc’s peerPin query parameter
  • Stack Buffer Overflow via formStaticDHCP’s hostname query parameter
  • Stack Buffer Overflow via formWlanMultipleAP’s submit-url query parameter
  • Stack Buffer Overflow via formWsc’s peerPin query parameter

The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Vulnerabilities in UDPServer

Researchers uncovered a Command Injection vulnerabiilties (CVE-2021-35394) in UDPServer For each identified firmware image with a UDPserver binary, manual analysis is required to confirm.

The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients

Here the following affected vulnerabilities.

  • Command Injection via UDPServer protocol
  • Static Buffer Overflow via UDPServer protocol

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.” Researchers said.

Realtek released a complete advisory and fixed the vulnerabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…

37 minutes ago

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

1 hour ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

1 hour ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

2 hours ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

2 hours ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

17 hours ago