Wireless tech software flaws allowed attackers to achieve root access on vulnerable devices

RealTek SDK vulnerabilities impact dozens of downstream IoT vendors

Security flaws in chipsets used by more than 65 IoT device manufacturers have been identified by researchers.

The vulnerabilities affect WiFi-enabled devices using a software development kit (SDK) from Realtek.

According to researchers at German security firm IoT Inspector, the vulnerabilities could affect almost 200 IoT product lines and hundreds of thousands of devices.

Root access

As detailed in a technical write-up published today (August 16), IoT Inspector found flaws within the Realtek RTL819xD chip, which allows hackers to gain root access to the host device, its operating system, and potentially other devices on the network.

The chips provide wireless connectivity to manufacturers’ IoT kit. The software is used in products ranging from WiFi routers to IP cameras.

Read more of the latest infosec research news from around the world

The flaws affect several versions of Realtek SDKs: Realtek SDK v2.x, various Realtek ‘Jungle’ SDK versions, and Realtek ‘Luna’ SDK up to version 1.3.2.

IoT Inspector discovered four vulnerabilities: a ‘WiFi Simple Config’ stack buffer overflow via UPnP (CVE-2021-35392); a heap-based buffer overflow (CVE-2021-35393); a command injection in the MP Daemon diagnostic tool (CVE-2021-35394); and CVE-2021-35395, which lists multiple vulnerabilities in the SDK’s management web interface.

Unauthenticated RCE

The most serious of the web interface flaws is an arbitrary command execution in formSysCmd, as little skill is needed to exploit the bug, IoT Inspector’s managing director Florian Lukavsky told The Daily Swig.

“By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege,” IoT Inspector warned in its advisory blog post.

The researchers used Shodan to identify potentially vulnerable systems, and also found that wireless routers from a number of ISPs, primarily in India, Taiwan, and China, were vulnerable.

Securing the supply chain

Researchers have previously identified vulnerabilities in devices using the Realtek SDK. But, Lukavsky explained, these have been attributed to the device manufacturers rather than to the SDK supplier itself.

Manufacturers have patched vulnerabilities in their branches of the code but, Lukavsky says, these have not been passed back to Realtek so the fix could be made more widely available.

Security experts are warning users of devices with the Realtek SDK, and other IoT hardware, to run software updates, enable “optional” security features and change default credentials where they can.

“The vulnerabilities listed here are not trivial,” Dray Agha, cybersecurity consultant at Crest member firm Jumpsec told The Daily Swig.

INSIGHT Fight or flight: How one of the UK’s busiest airports defends against cyber-attacks

“They err on the side of irresponsible to be frank, as near every vulnerability listed would give an adversary unfettered control over the device they target.”

“Looking at the list of manufacturers who are affected by the Realtek SDK vulnerabilities, it’s concerning that an attacker could gain control of a wireless router through these exploits.

“Given that wireless routers are a central ‘node’ for many devices, compromise here would spell disaster for all of the other devices you have in your home and workplace.”

Realtek has issued patches and a security advisory (PDF) for the affected components.

HACKING TOOLS Bow to the USBsamurai: Malicious USB cable leaves air-gapped networks open to attack