A German cybersecurity researcher warned that at least 65 vendors have been affected by severe flaws in three software development kits (SDKs) for its WiFi modules that allow unauthenticated individuals to fully compromise a target device.
In a warning to its customers, Realtek confirmed the flaws could allow an attacker to take over a device with a remote code execution.
The flaws affect Realtek SDK v2.x, Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek “Luna” SDK up to version 1.3.2. The findings were presented in a report published Monday, three months after disclosing them to Realtek in May 2021.
The four flaws are as follows:
- CVE-2021-35392 (CVSS score: 8.1) – Heap buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe crafting of SSDP NOTIFY messages
- CVE-2021-35393 (CVSS score: 8.1) – Stack buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header
- CVE-2021-35394 (CVSS score: 9.8) – Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in ‘UDPServer’ MP tool
- CVE-2021-35395 (CVSS score: 9.8) – Multiple buffer overflow vulnerabilities in HTTP web server ‘boa’ due to unsafe copies of some overly long parameters.
Besides Realtek’s own router lineup, the flawed SDKs are used widely in various devices that support wireless connectivity. Some of these include travel routers, WiFi repeaters, residential gateways, IP cameras to smart lightning gateways, connected toys. Impacted manufacturers include AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, and Zyxel.
The total number of affected devices could be close to a million, the researcher from IoT Inspector, who discovered the flaws:
“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,” researchers said.
While patches have been released for Realtek “Luna” SDK in version 1.3.2a, users of the “Jungle” SDK are recommended to backport Realtek’s fixes.
Security issues in Realtek’s codebase were already known to the company and were discovered more than a decade ago. The issues remained untouched for over a decade.
Researchers cited insufficient secure software development practices, in particular lack of security testing and code review, as reasons for the flaws.
“On the product vendor’s end, […] manufacturers with access to the Realtek source code […] missed to sufficiently validate their supply chain, [and] left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers — leaving them vulnerable to attacks,” the researchers said.