Remote Code Execution Flaws in Realtek SDK Affect IoT devices

1930

Chip Designer Realtek today issued warning on four security flaws its three development kits accompanying its Wifi-modules. According to researchers at security firm IoT Inspector, the vulnerabilities could affect over 65 IoT device manufacturers.

As detailed in a write-up, IoT Inspector found flaws within the Realtek RTL819xD chip, which allows hackers to gain root access to the host device, its operating system, and potentially other devices on the network. 

The flaws, which affect Realtek SDK v2.x, Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek “Luna” SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code. 

The CVE-2021-35392, CVE-2021-35392 vulnerability heaps buffer overflow in the ‘WiFi Simple Config’ server (wscd) that implements both UPnP and SSDP protocols due to unsafe parsing and crafting of messages. 

In the second vulnerability, CVE-2021-35394, the ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability, due to insufficient legality detection on commands received from clients.

In case of CVE-2021-35395 flaw, the HTTP web server ‘boa’ (go-ahead has been obsoleted) is vulnerable to multiple buffer overflows due to unsafe copies of some overly long parameters. 

According to Realtek, the root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe calls to sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Impacting devices that implement wireless capabilities, the list includes residential gateways, travel routers, WiFi repeaters, IP cameras to smart lightning gateways, or even connected toys from a wide range of manufacturers such as AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, Zyxel, and Realtek’s own router lineup.

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,” researchers said.

While patches have been released for Realtek “Luna” SDK in version 1.3.2a, users of the “Jungle” SDK are recommended to backport the fixes provided by the company.