Vulnerabilities in Realtek SDK compromise hardware from 65 manufacturers

Taiwanese chipmaker Realtek has reported four vulnerabilities in three SDKs for its Wi-Fi companion modules, used in nearly 200 products from more than fifty vendors.

The vulnerabilities allow a remote unauthorized attacker to cause a denial of service, disable devices, and inject arbitrary commands.

  • CVE-2021-35392 - Stack buffer overflow via UPnP in Wi-Fi Simple Config;
  • CVE-2021-35393 - Heap overflows via SSDP in Wi-Fi Simple Config;
  • CVE-2021-35394 - Command injection in the MP Daemon diagnostic tool;
  • CVE-2021-35395 - Multiple vulnerabilities in the web management interface.

The first two vulnerabilities scored 8.1 out of the maximum 10 on the CVSS hazard rating scale, and the second - 9.8 points. To exploit them, the attacker must be on the same network as the device or have access to it via the Internet.

The German company IoT Inspector, which discovered the vulnerabilities, notified Realtek about them in May this year, and the manufacturer immediately released fixes.

Using these vulnerabilities, a remote unauthorized attacker can completely compromise the attacked device and execute arbitrary code with the highest privileges.

According to experts, products from more than 65 manufacturers (including AsusTEK, Belkin, D-Link, Edimax, Hama, Logitech and Netgear) use the Realtek RTL819xD module with a wireless access point function and one of the vulnerable SDKs. In particular, vulnerabilities affect Realtek SDK v2.x, Realtek “Jungle” SDK v3.0 / v3.1 / v3.2 / v3.4.x / v3.4T / v3.4T-CT and Realtek “Luna” SDK up to version 1.3.2. The first SDK is already 11 years old and is no longer supported, while the second is ready to be patched, but will have to be backported. For the new “Luna” SDK 1.3.2a, all patches are ready.

Previous Post Next Post