Realtek AP-Router SDK vulnerabilities could impact millions of routers and IoT devices

The IoT Inspector Research Lab has discovered four high and critical vulnerabilities in the Realtek AP-Router “Jungle” SDK used for RTL819x SoCs that could impact millions of WiFi routers and dongles.

An attacker can use a network attack, e.g. without physical access to the device, to generate a buffer or stack overflow helping him access the system and execute his own code. Realtek has released an advisory (PDF) with patchsets for all four vulnerabilities so you should upgrade the firmware if you can.

Realtek SDK vulnerabilities

Summary of the four vulnerabilities:

  • CVE-2021-35392 – Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server called wscd or mini_upnpd that implements both UPnP and SSDP protocols. The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.
  • CVE-2021-35393 – Also impacts ‘WiFi Simple Config’ server (wscd or mini_upnpd) but this CVE reports vulnerability to a stack buffer overflow vulnerability that is present due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header. Successful exploitation of this vulnerability allows remote unauthenticated attackers to gain arbitrary code execution on the affected device.
  • CVE-2021-35394 – Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
  • CVE-2021-35395 – Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management/configuration interface. Two versions of the interface are available, and both the Go-Ahead based “webs” and the Boa-based “boa” are impacted and vulnerable to the following issues:
    • Stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter
    • Stack buffer overflow in formWsc due to unsafe copy of submit-url parameter
    • Stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter
    • Stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter
    • Stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter
    • Stack buffer overflow in formWsc due to unsafe copy of ‘peerPin’ parameter
    • Arbitrary command execution in formSysCmd via the sysCmd parameter
    • Arbitrary command injection in formWsc via the ‘peerPin’ parameter

    The exploitability of those issues will depend on the specific implementation of the authentication mechanism and functions used from the Realtek SDK webserver. Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.

The IoT Inspector Research Lab provides the full details of the vulnerabilities, as its team discovered them, and informed Realtek about three months ago to let them work on patchsets. You’ll also find a free tool, but that requires registration, to check for Realtek firmware vulnerabilities.

Realtek RTL819x processors are found in residential gateways, travel routers, Wi-Fi repeaters, IP cameras, smart lighting gateways, and some connected toys. It’s very likely that most products will be not updated, especially cheap routers are seldom upgraded, and a firmware update, if available, is often a manual process. The OpenWrt project has no discussion about the vulnerabilities, but it’s quite likely the open-source Linux operating system is not impacted since it does not rely on the Realtek SDK.

Thanks to Jim for the tip.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX Rockchip RK3588 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
7 Comments
oldest
newest
PhilS
PhilS
3 years ago

The average user will not know what devices will have the Realtek chipsets in their equipment and what support is offered here requires an upload of firmware.

So as a valid response to what could be a serious issue, Realtek’s actioning is nothing short of pathetic.

wanderer_
3 years ago

Although we’re hoping that the average user’s local network is also not exposed to attack. Then again, RCE on the WiFi interface could result in some pretty dangerous attacks. So yes, I definitely agree.

Frans
Frans
3 years ago

There is definitely an issue here, but I do not really see what Realtek could have done more.
Realtek cannot fix the issue in my router or submit new firmware for it. That is something the router manufacturer has to do.

JimG
JimG
3 years ago

What about SBCs that use this chip? Will they get updated via kernel updates?

John Sam
John Sam
3 years ago

Most these IoT things are behind of the router, you have nothing to worry about.

Hugh
Hugh
3 years ago

The Advisory from IoT Inspector has an appendix listing vulnerable device models found by Shodan on the internet. Most are not IoT.

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...