[German]Security researchers at IoT Inspector have found multiple vulnerabilities in a Realtek SDK that allow unauthenticated attackers to fully compromise a device and execute arbitrary code with the highest privileges. The SDK is used by many OEMs to implement WiFi features in devices. Realtek has released an updated version of the SDK, but the code is in numerous IoT devices. At least 65 manufacturers are affected by serious security vulnerabilities, and users face the problem that these devices can be taken over by botnets and attackers.
Advertising
IoT Inspector security researchers, while investigating a particular cable modem for vulnerabilities, found that this system used a dual-SoC design. The main SoC ran a Linux system, while the second SoC – a special Realtek RTL819xD chipset that implements all access point functions – ran a different, stripped-down Linux system from Realtek.
Realtek SDK for SoC chip
Realtek chipsets are used in many embedded devices in the IoT space, and RTL8xxx SoCs are very common in WiFi devices. Security researchers therefore decided to devote more time to firmware on the Realtek RTL819xD chipset, as they write in this blog post. That's because binaries on the RTL819xD SoC that provide network services are made available by Realtek as part of the Realtek SDK to vendors and manufacturers that build this chipset into devices. If there are vulnerabilities in the Realtek SDK, this immediately affects a number of OEM devices. And as it turned out, there was a lot wrong there.
Multiple vulnerabilities in Realtek SDK
IoT Inspector's firmware analysis platform was used to scan these binaries from the SDK for vulnerabilities. The security researchers found more than a dozen vulnerabilities at once, ranging from command injection to memory corruption, affecting UPnP, HTTP (web interface for management) and a Realtek custom network service. The vulnerabilities allow unauthenticated attackers to fully compromise the target device remotely and execute arbitrary code at the highest privilege level.
Security researchers say they have identified at least 65 different affected manufacturers with nearly 200 unique "fingerprints" in their firmware. Many devices could be traced via the Shodan search engine, which the security researchers also attribute to some misconfigurations by manufacturers and retailers. As a result, these devices are accessible via the Internet and thus exposed to the increased risk. The affected devices have Wi-Fi capabilities and cover a wide range of use cases, from residential gateways, mobile routers, Wi-Fi repeaters, IP cameras to smart gateways for lighting or even toys connected to the Internet.
Realtek Security Alert
Taiwan-based vendor Realtek has since issued both an updated SDK and a security advisory as PDF for vulnerabilities CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395. The Realtek AP Router SDK in the following versions is affected:
Advertising
- rtl819x-SDK-v3.2.x Series
- rtl819x-SDK-v3.4.x Series
- rtl819x-SDK-v3.4T Series
- rtl819x-SDK-v3.4T-CT Series
- rtl819x-eCos-v1.5.x Series
The risk is classified as high by Realtek. In the PDF document, the manufacturer lists the patched files and some details about the vulnerabilities. In addition, IoT Inspector has documented these vulnerabilities in detail in this blog post.
Mirai botnet is already exploiting the vulnerabilities
I came across the issue via the following tweet, among others. There it is pointed out that the vulnerabilities are already being exploited to take over the devices by a variant of the Mirai botnet.
Are my devices affected?
The big problem with this story for end users is whether their devices are affected and whether the respective device manufacturer provides firmware updates to close these vulnerabilities. IoT Inspector gives the hint in this blog post that you can get a first hint by inspecting the directories on the SoC. If the /etc/motd file is found there and rlx-linux is mentioned, that is an indicator that the Realtek SDK was used. rlx-linux is a stripped down Linux system from Realtek that was developed specifically for the RTL chipsets.
The problem as I see it: The bulk of users will not notice this security warning at all, another part might not be able to inspect the firmware on the SoC. What's left for a first quick check if you might be affected with your hardware zoo?
IoT Inspector lists a number of devices from various manufacturers in its blog post where the vulnerable Realtek SDK was used to build the firmware. This ranges from ASUSTek and Belkin WLAN routers to Buffalo and D-Link WLAN devices to Hama, Logitec, and Netgear products. Of course, Realtek components, devices from Technicolor and Zyxel are also included. Just go through the linked blog post, the corresponding notes can be found at the end of the article.
Advertising