ID CVE-2020-27302 Type cve Reporter vuln@vdoo.com Modified 2021-06-14T18:06:00
Description
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "memcpy" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
{"id": "CVE-2020-27302", "bulletinFamily": "NVD", "title": "CVE-2020-27302", "description": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake.", "published": "2021-06-04T13:15:00", "modified": "2021-06-14T18:06:00", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27302", "reporter": "vuln@vdoo.com", "references": ["https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"], "cvelist": ["CVE-2020-27302"], "immutableFields": [], "type": "cve", "lastseen": "2021-06-15T08:52:43", "edition": 2, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "thn", "idList": ["THN:F5C882106D7F77972BB6ECD8F8D3A13D"]}], "modified": "2021-06-15T08:52:43", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-06-15T08:52:43", "rev": 2}, "twitter": {"counter": 6, "modified": "2021-06-05T08:51:38", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1401856471466397696", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-27302) has been published on https://t.co/BlYKey6YZx?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1401856471466397696", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-27302) has been published on https://t.co/BlYKey6YZx?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1404536845489381378", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-27302 (rtl8195a_firmware, rtl8710c_firmware)) has been published on https://t.co/jipZRxOvxo?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1401856467867742213", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-27302) has been published on https://t.co/AuTVpJCG0w?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1401856467867742213", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-27302) has been published on https://t.co/AuTVpJCG0w?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1404536828921880582", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-27302 (rtl8195a_firmware, rtl8710c_firmware)) has been published on https://t.co/fHeixcAPEK?amp=1"}]}, "vulnersScore": 5.8}, "cpe": ["cpe:/o:realtek:rtl8710c_firmware:-", "cpe:/o:realtek:rtl8195a_firmware:-"], "affectedSoftware": [{"cpeName": "realtek:rtl8195a_firmware", "name": "realtek rtl8195a firmware", "operator": "eq", "version": "-"}, {"cpeName": "realtek:rtl8710c_firmware", "name": "realtek rtl8710c firmware", "operator": "eq", "version": "-"}], "affectedConfiguration": [{"cpeName": "realtek:rtl8195a", "name": "realtek rtl8195a", "operator": "eq", "version": "-"}, {"cpeName": "realtek:rtl8710c", "name": "realtek rtl8710c", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:realtek:rtl8710c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}, {"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.7, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "scheme": null}
{"thn": [{"lastseen": "2021-06-03T12:45:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-27301", "CVE-2020-27302", "CVE-2020-9395"], "description": "[](<https://thehackernews.com/images/-DmjDDFPDoR0/YLjBP6MGWvI/AAAAAAAACu8/jaOuWaGopfou_ho1qczfxJWDZXm8TU1RQCLcBGAsYHQ/s0/Realtek-hacking.jpg>)\n\nA new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges on a device and hijack wireless communications.\n\n\"Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module,\" researchers from Israeli IoT security firm Vdoo [said](<https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day>) in a write-up published yesterday.\n\nThe Realtek [RTL8710C](<https://www.amebaiot.com/en/ameba-arduino-getting-started-rtl8710/>) Wi-Fi SoC underpins Ameba, an Arduino-compatible programmable platform equipped with peripheral interfaces for building a variety of IoT applications by devices spanning across agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors.\n\n[](<https://go.thn.li/1-728-5> \"password auditor\" )\n\nThe flaws affect all embedded and IoT devices that use the component to connect to Wi-Fi networks and would require an attacker to be on the same Wi-Fi network as the devices that use the RTL8710C module or know the network's pre-shared key (PSK), which, as the name implies, is a cryptographic secret used to authenticate wireless clients on local area networks.\n\nThe findings follow an [earlier analysis](<https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.html>) in February that found similar weaknesses in the Realtek RTL8195A Wi-Fi module, chief among them being a buffer overflow vulnerability (CVE-2020-9395) that permits an attacker in the proximity of an RTL8195 module to completely take over the module without having to know the Wi-Fi network password.\n\n[](<https://thehackernews.com/images/-jT-Ij62Y3Ww/YLjAZSsvbnI/AAAAAAAACu0/bk5UPh5Avo4dsjOPkJ7hCP8KVQrwo9l9ACLcBGAsYHQ/s0/hacking.jpg>)\n\nIn the same vein, the RTL8170C Wi-Fi module's WPA2 [four-way handshake](<https://en.wikipedia.org/wiki/IEEE_802.11i-2004#Four-way_handshake>) mechanism is vulnerable to two stack-based buffer overflow vulnerabilities (CVE-2020-27301 and CVE-2020-27302, CVSS scores: 8.0) that abuse the attacker's knowledge of the PSK to obtain remote code execution on WPA2 clients that use this Wi-Fi module.\n\nAs a potential real-world attack scenario, the researchers demonstrated a proof-of-concept (PoC) exploit wherein the attacker masquerades as a legitimate access point and sends a malicious encrypted group temporal key (GTK) to any client (aka supplicant) that connects to it via WPA2 protocol. A group temporal key is used to secure all multicast and broadcast traffic.\n\nVdoo said there are no known attacks underway exploiting the vulnerabilities, adding firmware versions released after Jan. 11, 2021 include mitigations that resolve the issue. The company also recommends using a \"strong, private WPA2 passphrase\" to prevent exploitation of the above issues in scenarios where the device's firmware can't be updated.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-06-03T11:55:49", "published": "2021-06-03T11:54:00", "id": "THN:F5C882106D7F77972BB6ECD8F8D3A13D", "href": "https://thehackernews.com/2021/06/researchers-warn-of-critical-bugs.html", "type": "thn", "title": "Researchers Warn of Critical Bugs Affecting Realtek Wi-Fi Module", "cvss": {"score": 4.9, "vector": "AV:A/AC:M/Au:S/C:P/I:P/A:P"}}]}
