Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
{"cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Realtek Jungle SDK Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35394"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-35394", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:59", "description": "A command injection vulnerability exists in Realtek Jungle SDK. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "checkpoint_advisories", "title": "Realtek Jungle SDK Command Injection (CVE-2021-35394)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35394"], "modified": "2021-08-31T00:00:00", "id": "CPAI-2021-0537", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2023-01-31T04:12:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjuQ18EDpSejNSjI4LXD3QqIWSUNsizhibpDA2dATBM02TLkvGlTuFMKtaaTCwUzXejC2W7S_RAhvmvH9MivasVWdrcvXLfeBuGFDBGaSjmnWrWVqqFvIuQAy6upmM9NYORALvNmNeAod4yacpPqTg2R7y15TU-K0HvyfbNYdfYJX1g-h_o9Xl5Cb0X/s728-e365/realtek.png>)\n\nResearchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022.\n\nAccording to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.\n\nClose to 50% of the attacks originated from the U.S. (48.3%), followed by Vietnam (17.8%), Russia (14.6%), The Netherlands (7.4%), France (6.4%), Germany (2.3%0, and Luxembourg (1.6%).\n\nWhat's more, 95% of the attacks leveraging the security shortcoming that emanated from Russia singled out organizations in Australia.\n\n\"Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices,\" Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/>) in a report, adding \"threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world.\"\n\nThe vulnerability in question is [CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>) (CVSS score: 9.8), a set of buffer overflows and an arbitrary command injection bug that could be weaponized to execute arbitrary code with the highest level of privilege and take over affected appliances.\n\nThe issues were [disclosed](<https://thehackernews.com/2021/08/multiple-flaws-affecting-realtek-wi-fi.html>) by ONEKEY (previously IoT Inspector) in August 2021. The vulnerabilities impact a wide range of devices from D-Link, LG, Belkin, Belkin, ASUS, and NETGEAR.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhWl7KB2g91jaJLQlz8JqtXXfHRuE4fMCVoIj0_jp2K2hS_IO9QWCNZKr-VZQj43G8suH4F4JPQfsWwmGo8olW-vqWWITGqlHFOkVMPoXAdYuF4MQRlzdQJ_671ltwwRMNTZ_MhMzmjxGh71GZsmEpadl4zwoWVWYe343tTO8WCVOOe0CeUBm7pfSSg/s728-e365/malware.png>)\n\nUnit 42 said it discovered three different kinds of payloads distributed as a result of in-the-wild exploitation of the flaw -\n\n * A script executes a shell command on the targeted server to download additional malware\n * An injected command that writes a binary payload to a file and executes it, and\n * An injected command that directly reboots the targeted server to cause a denial-of-service (DoS) condition\n\nAlso delivered through the abuse of CVE-2021-35394 are known botnets like [Mirai](<https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html>), [Gafgyt](<https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html>), and [Mozi](<https://thehackernews.com/2021/09/chinese-authorities-arrest-hackers.html>), as well as a new Golang-based distributed denial-of-service (DDoS) botnet dubbed RedGoBot.\n\nFirst observed in September 2022, the RedGoBot campaign involves dropping a shell script that's designed to download a number of botnet clients tailored to different CPU architectures. The malware, once launched, is equipped to run operating system commands and mount DDoS attacks.\n\nThe findings once again underscore the importance of updating software in a timely fashion to avoid exposure to potential threats.\n\n\"The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate,\" the researchers concluded. \"These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T09:30:00", "type": "thn", "title": "Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35394"], "modified": "2023-01-31T02:58:12", "id": "THN:70875A5100F074AF3B618981B92A9589", "href": "https://thehackernews.com/2023/01/realtek-vulnerability-under-attack-134.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-PiZWCeBTtNg/YRtRHWkDPnI/AAAAAAAADjU/14jyow9NKv8ROnMPT_eVpKuR-OFvSGofACLcBGAsYHQ/s0/wifi.jpg>)\n\nTaiwanese chip designer Realtek is warning of [four security vulnerabilities](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors.\n\nThe flaws, which affect Realtek SDK v2.x, Realtek \"Jungle\" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek \"Luna\" SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege \u2014\n\n * **CVE-2021-35392** (CVSS score: 8.1) - Heap buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe crafting of SSDP NOTIFY messages\n * **CVE-2021-35393** (CVSS score: 8.1) - Stack buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header\n * **CVE-2021-35394** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in 'UDPServer' MP tool\n * **CVE-2021-35395** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities in HTTP web server 'boa' due to unsafe copies of some overly long parameters\n\n[](<https://thehackernews.com/images/-EIgcKb_iBEk/YRtP5RJMxMI/AAAAAAAADjM/cTEyKOzn0asMcS1ihlaXo5YwzZ7xyMNxQCLcBGAsYHQ/s0/wifi-hack.gif>)\n\nImpacting devices that implement wireless capabilities, the list includes residential gateways, travel routers, WiFi repeaters, IP cameras to smart lightning gateways, or even connected toys from a wide range of manufacturers such as AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, Zyxel, and Realtek's own router lineup.\n\n\"We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,\" researchers said.\n\nWhile patches have been released for Realtek \"Luna\" SDK in version 1.3.2a, users of the \"Jungle\" SDK are recommended to backport the fixes provided by the company.\n\nThe security issues are said to have remained untouched in Realtek's codebase for more than a decade, German cybersecurity specialist IoT Inspector, which [discovered](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) the weaknesses, said in a report published Monday three months after disclosing them to Realtek in May 2021.\n\n\"On the product vendor's end, [...] manufacturers with access to the Realtek source code [...] missed to sufficiently validate their supply chain, [and] left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers \u2014 leaving them vulnerable to attacks,\" the researchers said.\n\n**_Update:_** Three days after details about the Realtek vulnerabilities were revealed, active exploitation attempts have been detected to spread a variant of a Mirai malware and rope the compromised devices into the botnet. The same threat actor behind this Mirai-based botnet has also been linked to a [string of attacks](<https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html>) at least since February 2021, leveraging newly disclosed flaws in network security appliances and home routers to their advantage.\n\n\"This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\" network security firm SAM Seamless Network [said](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) last week. \"These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-17T06:19:00", "type": "thn", "title": "Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly a Million IoT Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-24T04:42:33", "id": "THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1", "href": "https://thehackernews.com/2021/08/multiple-flaws-affecting-realtek-wi-fi.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjCLWA9ej6V4Dmqan8izWYByrgeQ-QyYf3he3sTJm7L_GXGXh7fE0PhR1MJ_KwTJIFbBo2Zbl_br8Hii3M-EiNL-aydoNRMq5Lv7umbWh4kO7J-2Y0vD4kWxLye8iaSyg1gacJ7nMHbcN2YRwb0PFQdKJxy8tU4unwnp0O9Lca5owLbuMJuftLAMXWZ/s728-e100/hacker.jpg>)\n\nA threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month.\n\n\"This botnet is mainly derived from [Gafgyt](<https://thehackernews.com/2016/03/internet-of-thing-malware.html>)'s source code but has been observed to borrow several modules from [Mirai](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>)'s original source code,\" Fortinet FortiGuard Labs [said](<https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet>) in a report this week.\n\nThe botnet has been attributed to an actor named Keksec (aka [Kek Security](<https://nsfocusglobal.com/freakout-analysis-report-1/>), Necro, and [FreakOut](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>)), which has been linked to multiple botnets such as [Simps](<https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group>), [Ryuk](<https://www.lacework.com/blog/keksec-tsunami-ryuk/>) (not to be confused with the ransomware of the same name), and [Samael](<https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/>), and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations.\n\nPrimarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the [malware specimen](<https://www.virustotal.com/gui/file/fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473>) has highlighted Enemybot's obfuscation attempts to hinder analysis and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands.\n\nEnemybot, like the other botnet malware, is the result of combining and modifying the source code of Mirai and Gafgyt, with the latest version using the former's scanner and bot killer modules that are used to scan and terminate competitor processes running on the same devices.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj8z8xwID-iXZLVyZLm9Z2Xnamq2854RNWRDC7ESLcn6Eih39TfW_C66e3JICd2M1VcGpq3DYCEB16ONeTzsaXfYb0Zw4wygokyIe1XhG-ovRBTVzL61lCxocSdf-ze6M0lj1ruo5i66WWNDY56sF_d_mlog-oQWzwWh_xsLgpVMcCMTzZ6GP8ugvBX/s728-e100/exploit.jpg>)\n\nSome of the n-day vulnerabilities used by the botnet to infect more devices are as follows - \n\n * [**CVE-2020-17456**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17456>) (CVSS score: 9.8) - A remote code execution flaw in Seowon Intech SLC-130 And SLR-120S devices.\n * [**CVE-2018-10823**](<https://nvd.nist.gov/vuln/detail/CVE-2018-10823>) (CVSS score: 8.8) - An arbitrary code execution vulnerability in D-Link routers\n * [**CVE-2022-27226**](<https://nvd.nist.gov/vuln/detail/CVE-2022-27226>) (CVSS score: 8.8) - A cross-site request forgery issue affecting iRZ Mobile Routers leading to remote code execution\n\nFortinet also pointed out its overlaps with [Gafgyt_tor](<https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/>), suggesting that \"Enemybot is likely an updated and 'rebranded' variant of Gafgyt_tor.\"\n\nThe disclosure comes as researchers from Qihoo 360's Network Security Research Lab (360 Netlab) detailed a rapidly spreading DDoS botnet called [Fodcha](<https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/>) that has ensnared more than 10,000 daily active bots, cumulatively infecting over 62,000 unique bots from March 29 to April 10, 2022.\n\nFodcha has been observed spreading through known vulnerabilities in Android, GitLab ([CVE-2021-22205](<https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html>)), Realtek Jungle SDK ([CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)), digital video recorders from MVPower, LILIN, and routers from TOTOLINK and ZHONE.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-14T10:07:00", "type": "thn", "title": "New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10823", "CVE-2020-17456", "CVE-2021-22205", "CVE-2021-35394", "CVE-2022-27226"], "modified": "2022-04-14T13:02:45", "id": "THN:9DA9559F6ED442FDD28902ECFE7EA70D", "href": "https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-01-24T20:12:47", "description": "Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called \u2018MP Daemon\u2019 that is usually compiled as \u2018UDPServer\u2019 binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-35394", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35392", "CVE-2021-35394"], "modified": "2021-08-27T00:00:00", "id": "AKB:AC0BBE7C-D615-489A-B690-80E7FE18FD30", "href": "https://attackerkb.com/topics/e2g1BEmOOp/cve-2021-35394", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-24T02:09:46", "description": "Threat actors zeroing in on command injection vulnerabilities reported in Realtek chipsets just days after multiple flaws were discovered in the software developers kits (SDK) deployed across at least 65 separate vendors.\n\nOn Aug. 16 multiple [Realtek vulnerabilities](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) were disclosed by IoT Inspector Research Lab. It took about 48 hours for attackers to start trying to exploit them. SAM Seamless Network reported two days after the bugs were made public, attackers made \u201cmultiple\u201d attempts breach the company\u2019s Secure Home product to [spread a new version of Mirai malware](<https://securingsam.com/realtek-vulnerabilities-weaponized/>).\n\n\u201cSpecifically, we noticed exploit attempts to \u2018formWsc\u2019 and \u2018formSysCmd\u2019 web pages,\u201d SAM\u2019s report on the incident said. \u201cThe exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes.\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The report goes on to link another similar attack to the attack group. On Aug. 6 Juniper Networks found a vulnerability that just two days later was also exploited to try and deliver the same Mirai botnet using the same network subnet, the report explained.\n\n\u201cThis chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\u201d SAM said. \u201cThese kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\u201d\n\nRealtek Semiconductor Corp. has not yet responded to Threatpost\u2019s request for comment, but the company did release [this advisory](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) on CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395,\n\n[Mirai\u2019s source code has exploded in popularity](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) over the years, with more than [60 variants](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) observed in the wild by last March. That number is still climbing with this latest iteration tailored to target the Realtek SDK flaws.\n\n## **Devices Targeted **\n\nConsidering the number of vendors impacted, researchers are concerned threat actors have ample first-move opportunities to exploit the bug before patches are deployed.\n\nSAM said the devices most exposed to the Realtek SDK bug are:\n\n * Netis E1+ extender\n * Edimax N150 and N300 Wi-Fo router\n * Repotec RP-WR5444 router\n\nThe original IoT Inspector report linked this kind of vulnerability to recent supply chain attacks on [SolarWinds](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) and [Kaseya](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>).\n\n\u201cAs awareness for supply chain transparency is on the rise among security experts, this example is a pretty good showcase of the vast implications of an obscure IoT supply chain, The IoT Inspector report said.\n\nJust a day after the Realtek revelations, Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), reported [a flaw in IoT cloud](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) platform ThroughTek Kalay. The vulnerability would have potentially allowed an attacker to take over an IoT device to listen to live audio, watch real-time video and more.\n\n\u201cThese types of vulnerabilities are surfacing every day and there are probably many more that have yet to be discovered\u2026,\u201d SAM\u2019s Ran Hananel told Threatpost by email.\n\n## **Securing IoT **\n\nYaniv Bar-Dayan, co-founder of Vulcan Cyber told Threatpost that IoT security in inherently tricky because often it\u2019s not clear who is responsible for the data.\n\n\u201cWhile the responsibility to bring bug fixes and patches to market should lie on the shoulders of vendors, users should be sure to rely on tried-and-true security best practices in the meantime,\u201d Bar-Dayan said. \u201cEncrypt data, use sophisticated and unique passwords or multi-factor authentication, don\u2019t broadcast your network ID, double check configurations, and, above all else, patch early and often.\u201d\n\nBesides patching, Jake Williams at BreachQuest recommends limiting web interface access to the local network.\n\n\u201cThat won\u2019t stop attacks but does limit where they can be conducted from,\u201d Williams said. \u201cThis is particularly true for administrative interfaces.\u201d\n\nIt\u2019s also up to developers to know the code their using is secure. A [Software Bill of Materials (SBOMs)](<https://threatpost.com/executive-order-cybersecurity-federal-agencies/165056/>) are one solution being pushed by the U.S. government in the wake of the SolarWinds breach.\n\n\u201cDevelopers of any type of software like to use SDKs because it enables them to implement capabilities into their software without having to build it themselves,\u201d Hank Schless from Lookout told Threatpost. \u201cThis is broadly practiced, and there\u2019s a level of implicit trust that developers have in those that build these SDKs that everything packaged inside of them will be safe. However, just like with any other type of software, SDKs have their inevitable flaws.\u201d\n", "cvss3": {}, "published": "2021-08-23T14:08:42", "type": "threatpost", "title": "Attackers Actively Exploiting Realtek SDK Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-23T14:08:42", "id": "THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA", "href": "https://threatpost.com/attackers-exploiting-realtek/168856/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-01-26T11:29:50", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2022-01-25T00:00:00", "id": "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:09", "description": "CISA has added thirteen new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA:380E63A9EAAD85FA1950A6973017E11B", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-35394
