Vulnerability in Realtek Chips Gives Root Access to Wifi Module

A critical vulnerability in Wi-Fi chips from chip maker Realtek could give an attacker remote root access to the Wi-Fi module, security researchers at security company Vdoo discovered . Via the wifi module it would then be possible to attack the application processor of the device.

The Realtek RTL8195AM, RTL8711AM, RTL8711AF and RTL8710AF are WiFi modules used in all kinds of embedded devices for a wide variety of industries. Researchers at Vdoo discovered that it is possible, in the worst case scenario, to cause a stack-based buffer overflow during the WPA2 handshake, allowing an attacker to completely take over the WiFi module. The attacker does not need to know the WiFi password (PSK) of the WiFi network.

The vulnerability (CVE-2020-9395) occurs in the 4-way handshake of the WPA2 protocol. This handshake is performed when a client wants to connect to a secure Wi-Fi network and is used to confirm that the client and access point have the correct credentials.

During this handshake, an attacker can send a specially prepared EAPoL-Key packet that causes a stack-based buffer overflow and allows the attacker to execute code with root rights on the WiFi module. EAPoL is an authentication protocol used to access a network.

The attack works against both clients and access points. When the Wi-Fi module is compromised, the attacker can also try to attack the device's application processor as he has full control over the Wi-Fi traffic. Realtek has released security updates for the problem.

Previous Post Next Post