Taiwanese chip designer Realtek has warned of four vulnerabilities in three SDKs accompanying its Wi-Fi modules, which are used in nearly 200 products made by more than five dozen vendors.
Flaws allow remote and unauthenticated attacker to deny service, crash devices and inject arbitrary commands, says advisory [PDF]:
- CVE-2021-35392, Simple Config Wi-Fi stack buffer overflow via UPnP
- CVE-2021-35393, Simple Config Wi-Fi Buffer Overflow via SSDP
- CVE-2021-35394, MP Daemon diagnostic tool command injection
- CVE-2021-35395, web interface for managing multiple vulnerabilities
The first two are rated high in terms of severity (8.1 on the CVSS scale); the second two are classified as critical severity (9.8). These flaws require an attacker to be on the same network as the device, or to be able to reach it over the Internet, in order to successfully exploit. As such, these bugs are susceptible to being exploited by malware on someone’s PC to hijack their cable Internet router and smart home equipment; by criminals to requisition public Wi-Fi points; etc.
Bad Homburg, Germany-based security firm IoT Inspector exposed the vulnerabilities to Realtek in May and said more than 65 products from hardware manufacturers integrate the Realtek RTL819xD module, which implements access point functions. wireless and includes one of the vulnerable SDKs.
“By exploiting these vulnerabilities, remote unauthenticated attackers can completely compromise the target device and execute arbitrary code with the highest level of privilege,” the biz said in its notice, saying – cautiously, we believe – that nearly a million vulnerable devices may be in use, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls.
Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to verify their devices and provide security patches to their users.
“We informed Realtek, and they immediately responded and provided an appropriate fix,” Florian Lukavsky, managing director of IoT Inspector, said in a statement. “Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to verify their devices and provide security patches to their users. “
It may be worth adding that IoT Inspector researchers identified the affected hardware using the Shodan vulnerability search engine, which means disbelievers can do the same. Vendors of the vulnerable kit are believed to include: AsusTEK, Belkin, D-Link, Edimax, Hama, Logitech, and Netgear, among others.
“For an exploit to be successful, an attacker usually needs to be on the same Wi-Fi network,” continued the IoT Inspector team. “However, faulty ISP configurations also expose many vulnerable devices directly to the Internet. A successful attack would provide full control of the Wi-Fi module, as well as root access to the operating system of the built-in device.”
Of the three SDK iterations identified – Realtek SDK v2.x; Realtek “Jungle” SDK v3.0 / v3.1 / v3.2 / v3.4.x / v3.4T / v3.4T-CT; and Realtek “Luna” SDK up to version 1.3.2 – the former is no longer supported because it is 11 years old. For the “Jungle” SDK, Realtek makes its patches available but these will have to be backported, according to IoT Inspector. The most recent “Luna” SDK 1.3.2a has been fixed.
These fixes will need to be deployed and installed by devices through software updates. That is to say that it is one thing for Realtek to correct the flaws in its software, it is another that these changes are reflected in the equipment in the field. If possible, check for firmware updates for your equipment and deploy them if possible.
The security team notes that “insufficient secure software development practices, especially the lack of security testing and code review, have left dozens of critical security issues intact in the code base of Realtek for over a decade “.
Realtek did not immediately respond to a request for comment. ®