Realtek SDK Bugs Make Various IoT Devices Vulnerable To RCE Attacks

Realtek has recently addressed serious security issues in its SDK within numerous routers. Exploiting these bugs could allow an adversary to exploit remote code execution attacks.

Realtek SDK Vulnerabilities

Researchers from IoT Security have highlighted details of the four security bugs they found in Realtek SDK. Realtek chips which are contained within numerous IoT devices from different vendors, so the bugs posed a security threat to dozens of devices.

As elaborated in their advisory, the vulnerabilities existed in the RTL819xD chips that powered their WiFi device. The researchers selected it for analysis given the frequent use of RTL8xxx SoCs to provide wireless functionalities in IoT devices, including routers and cameras.

Specifically, they found the following four different vulnerabilities in the Realtek SDK.

  • CVE-2021-35392: ‘WiFi Simple Config’ stack buffer overflow via UPnP (8.1; high)
  • CVE-2021-35393: ‘WiFi Simple Config’ heap buffer overflow via SSDP (8.1; high)
  • CVE-2021-35394: MP Daemon diagnostic tool command injection (9.8; critical)
  • CVE-2021-35395: management web interface multiple vulnerabilities (9.8; critical)

Regarding the vulnerable devices, the researchers state,

We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million.

Technical details of the vulnerabilities and the complete list of vulnerable devices from different vendors are available in their advisory. To get an idea about the extent of the risk, some of the vendors with multiple vulnerable devices include D-Link, ASUSTek, Buffalo, Edimax, LG, Netis, Zyxel, and more, besides Realtek.

Patches Deployed

Following the discovery, the researchers reached out to Realtek to report the bugs.

Describing the bugs in their advisory, Realtek mentioned,

The root cause of the above vulnerabilities is insufficient validation on the received buffer, and unsafe callsto sprintf/strcpy. An attack can exploit the vulnerabilities by crafting arguments in a specific request, and a successful exploit would cause the server to crash and deny service.

Consequently, the vendors patched the vulnerabilities and deployed fixes.

Given the severity of the flaws, users must ensure updating their devices at the earliest to avoid any possible exploit.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients