Recently important information was released on four vulnerabilities in the components of the Realtek SDK, which is used by various wireless device manufacturers in their firmware. The detected issues allow an unauthenticated attacker to remotely execute code on an elevated device.
It is estimated that issues affect at least 200 device models from 65 different vendors, including various models of wireless routers from Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT -Link, Netgear, Realtek, Smartlink, UPVEL, ZTE and Zyxel brands.
The problem encompasses various classes of RTL8xxx SoC-based wireless devicesFrom wireless routers and Wi-Fi amplifiers to IP cameras and smart devices for lighting control.
Devices based on RTL8xxx chips use an architecture that involves the installation of two SoCs: the first installs the Linux-based manufacturer's firmware, and the second runs a separate lean Linux environment with the implementation of the access point functions. The population of the second environment is based on typical components provided by Realtek in the SDK. These components, among other things, process the data received as a result of sending external requests.
Vulnerabilities affect products that use Realtek SDK v2.x, Realtek "Jungle" SDK v3.0-3.4 and Realtek "Luna" SDK up to version 1.3.2.
Regarding the part of the description of the identified vulnerabilities, it is important to mention that the first two were assigned a severity level of 8.1 and the rest, 9.8.
- CVE-2021-35392: Buffer overflow in mini_upnpd and wscd processes that implement the "WiFi Simple Config" functionality (mini_upnpd handles SSDP and wscd packets, besides supporting SSDP, it handles UPnP requests based on the HTTP protocol). In doing so, an attacker can get your code executed by sending specially crafted UPnP SUBSCRIBE requests with too high a port number in the callback field.
- CVE-2021-35393: a vulnerability in the "WiFi Simple Config" drivers, which manifests itself when using the SSDP protocol (uses UDP and a request format similar to HTTP). The problem is caused by the use of a fixed 512-byte buffer when processing the "ST: upnp" parameter in M-SEARCH messages sent by clients to determine the availability of services on the network.
- CVE-2021-35394: It is a vulnerability in the MP Daemon process, which is responsible for performing diagnostic operations (ping, traceroute). The problem allows substitution of your commands due to insufficient validation of the arguments when running external utilities.
- CVE-2021-35395: is a series of vulnerabilities in web interfaces based on http / bin / webs and / bin / boa servers. Typical vulnerabilities were identified on both servers, caused by lack of argument validation before executing external utilities using the system () function. The differences come down only to the use of different APIs for the attack.
Both drivers did not include protection against CSRF attacks and the "rebinding DNS" technique, which allows requests to be sent from the external network while restricting access to the interface only to the internal network. The processes also used the predefined supervisor / supervisor account by default.
The fix has already been released in Realtek "Luna" SDK update 1.3.2a, and Realtek "Jungle" SDK patches are also being prepared for release. No fixes are planned for Realtek SDK 2.x, as maintenance for this branch has already been discontinued. Functional exploit prototypes have been provided for all vulnerabilities, allowing them to run their code on the device.
Moreover, the identification of several more vulnerabilities in the UDPServer process is observed. As it turned out, one of the problems had already been discovered by other researchers in 2015, but it was not completely fixed. The problem is caused by the lack of proper validation of the arguments passed to the system () function and can be exploited by sending a line like 'orf; ls' to network port 9034.