Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs

Taiwanese chip designer Realtek has warned of four vulnerabilities in three SDKs accompanying its Wi-Fi modules, which are used in almost 200 products made by more than five dozen vendors.

The flaws allow a remote, unauthenticated attacker to deny service, crash devices, and inject arbitrary commands, the advisory states [PDF]:

• CVE-2021-35392, Wi-Fi Simple Config stack buffer overflow via UPnP
• CVE-2021-35393, Wi-Fi Simple Config heap buffer overflow via SSDP
• CVE-2021-35394, MP Daemon diagnostic tool command injection
• CVE-2021-35395, management web interface multiple vulnerabilities

The first two are rated high in terms of severity (8.1 on the CVSS scale); the second two are rated critical severity (9.8). These flaws require an attacker to be on the same network as the device, or be able to reach it over the internet, to achieve successful exploitation. As such, these bugs are likely to be abused by malware on someone's PC to hijack their cable internet router and smart home gear; by miscreants to commandeer public Wi-Fi spots; and so on.

Security firm IoT Inspector, based in Bad Homburg, Germany, disclosed the vulnerabilities to Realtek in May, and said more than 65 hardware makers' products incorporate the Realtek RTL819xD module, which implements wireless access point functions and includes one of the vulnerable SDKs.

"By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege," the biz said in its advisory, estimating – conservatively, we think – that almost a million vulnerable devices may be in use, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls.

Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to check their devices and provide security patches to their users

"We notified Realtek, and they immediately responded and provided an appropriate patch," said Florian Lukavsky, managing director of IoT Inspector, in a statement. "Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to check their devices and provide security patches to their users."

It's perhaps worth adding that researchers with IoT Inspector identified affected hardware using the Shodan vulnerability search engine, which means miscreants can do the same. Vendors of the vulnerable kit are believed to include: AsusTEK, Belkin, D-Link, Edimax, Hama, Logitech, and Netgear, among others.

"For an exploit to succeed, an attacker usually needs to be on the same Wi-Fi network," the IoT Inspector team continued. "However, faulty ISP configurations also expose numerous vulnerable devices directly to the Internet. A successful attack would provide full control of the Wi-Fi module, as well as root access to the embedded device’s operating system."

• Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?
• Zephyr OS Bluetooth vulnerabilities left smart devices open to attack
• Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear
• Wi-Fi kit spilling data with bad crypto – Huawei, eh? No, it's Cisco. US giant patches Krook spy-hole bug in network gear

Among the three SDK iterations identified – Realtek SDK v2.x; Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT; and Realtek “Luna” SDK up to version 1.3.2 – the first is no longer supported as it is 11 years old. For the "Jungle" SDK, Realtek is making its fixes available but these will have to be backported, according to IoT Inspector. The more recent "Luna" SDK 1.3.2a has been patched.

These fixes will need to be pushed out to and installed by devices via software updates. That is to say, it's one thing for Realtek to address the flaws in its software, it's quite another for these changes to make their way to equipment out in the field. If possible, check for firmware updates for your gear and deploy them if able.

The security outfit notes, "insufficient secure software development practices, in particular lack of security testing and code review, resulted in dozens of critical security issues to remain untouched in Realtek’s codebase for more than a decade."

Realtek did not immediately respond to a request for comment. ®