Realtek AP-Router SDK vulnerabilities could impact millions of routers and IoT devices

The IoT Inspector Research Lab has discovered four high and critical vulnerabilities in the Realtek AP-Router “Jungle” SDK used for RTL819x SoCs that could impact millions of WiFi routers and dongles.

An attacker can use a network attack, e.g. without physical access to the device, to generate a buffer or stack overflow helping him access the system and execute his own code. Realtek has released an advisory (PDF) with patchsets for all four vulnerabilities so you should upgrade the firmware if you can.

Summary of the four vulnerabilities:

• CVE-2021-35392 – Realtek Jungle SDK version v2.x up to v3.4.14B provides a ‘WiFi Simple Config’ server called wscd or mini_upnpd that implements both UPnP and SSDP protocols. The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.
• CVE-2021-35393 – Also impacts ‘WiFi Simple Config’ server (wscd or mini_upnpd) but this CVE reports vulnerability to a stack buffer overflow vulnerability that is present due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header. Successful exploitation of this vulnerability allows remote unauthenticated attackers to gain arbitrary code execution on the affected device.
• CVE-2021-35394 – Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
• CVE-2021-35395 – Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management/configuration interface. Two versions of the interface are available, and both the Go-Ahead based “webs” and the Boa-based “boa” are impacted and vulnerable to the following issues:
  • Stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter
  • Stack buffer overflow in formWsc due to unsafe copy of submit-url parameter
  • Stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter
  • Stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter
  • Stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter
  • Stack buffer overflow in formWsc due to unsafe copy of ‘peerPin’ parameter
  • Arbitrary command execution in formSysCmd via the sysCmd parameter
  • Arbitrary command injection in formWsc via the ‘peerPin’ parameter

  The exploitability of those issues will depend on the specific implementation of the authentication mechanism and functions used from the Realtek SDK webserver. Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.

The IoT Inspector Research Lab provides the full details of the vulnerabilities, as its team discovered them, and informed Realtek about three months ago to let them work on patchsets. You’ll also find a free tool, but that requires registration, to check for Realtek firmware vulnerabilities.

Realtek RTL819x processors are found in residential gateways, travel routers, Wi-Fi repeaters, IP cameras, smart lighting gateways, and some connected toys. It’s very likely that most products will be not updated, especially cheap routers are seldom upgraded, and a firmware update, if available, is often a manual process. The OpenWrt project has no discussion about the vulnerabilities, but it’s quite likely the open-source Linux operating system is not impacted since it does not rely on the Realtek SDK.

Thanks to Jim for the tip.

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress