Taiwanese chip designer Realtek is warning of four security vulnerabilities in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors.
The flaws, which affect Realtek SDK v2.x, Realtek "Jungle" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek "Luna" SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege —
- CVE-2021-35392 (CVSS score: 8.1) - Heap buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe crafting of SSDP NOTIFY messages
- CVE-2021-35393 (CVSS score: 8.1) - Stack buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header
- CVE-2021-35394 (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in 'UDPServer' MP tool
- CVE-2021-35395 (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities in HTTP web server 'boa' due to unsafe copies of some overly long parameters
Impacting devices that implement wireless capabilities, the list includes residential gateways, travel routers, WiFi repeaters, IP cameras to smart lightning gateways, or even connected toys from a wide range of manufacturers such as AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, Zyxel, and Realtek's own router lineup.
"We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million," researchers said.
While patches have been released for Realtek "Luna" SDK in version 1.3.2a, users of the "Jungle" SDK are recommended to backport the fixes provided by the company.
The security issues are said to have remained untouched in Realtek's codebase for more than a decade, German cybersecurity specialist IoT Inspector, which discovered the weaknesses, said in a report published Monday three months after disclosing them to Realtek in May 2021.
"On the product vendor's end, [...] manufacturers with access to the Realtek source code [...] missed to sufficiently validate their supply chain, [and] left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers — leaving them vulnerable to attacks," the researchers said.
Update: Three days after details about the Realtek vulnerabilities were revealed, active exploitation attempts have been detected to spread a variant of a Mirai malware and rope the compromised devices into the botnet. The same threat actor behind this Mirai-based botnet has also been linked to a string of attacks at least since February 2021, leveraging newly disclosed flaws in network security appliances and home routers to their advantage.
"This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly," network security firm SAM Seamless Network said last week. "These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react."
