ID CVE-2021-35395 Type cve Reporter cve@mitre.org Modified 2021-08-26T14:27:00
Description
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.
{"id": "CVE-2021-35395", "bulletinFamily": "NVD", "title": "CVE-2021-35395", "description": "Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.", "published": "2021-08-16T12:15:00", "modified": "2021-08-26T14:27:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35395", "reporter": "cve@mitre.org", "references": ["https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en", "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain", "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf"], "cvelist": ["CVE-2021-35395"], "immutableFields": [], "type": "cve", "lastseen": "2021-08-27T07:58:56", "edition": 2, "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "malwarebytes", "idList": ["MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7"]}, {"type": "threatpost", "idList": ["THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA"]}, {"type": "thn", "idList": ["THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1"]}], "modified": "2021-08-27T07:58:56", "rev": 2}, "score": {"value": 2.3, "vector": "NONE", "modified": "2021-08-27T07:58:56", "rev": 2}, "twitter": {"counter": 22, "modified": "2021-08-17T07:54:24", "tweets": [{"link": "https://twitter.com/CyberSecDN/status/1430145807689437242", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) - https://t.co/JdSWLmYNRN?amp=1 /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/hintz2010/status/1430534974487384068", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) /hashtag/cybersecurity?src=hashtag_click /hashtag/awareness?src=hashtag_click /hashtag/vulnerability?src=hashtag_click"}, {"link": "https://twitter.com/kuriharan/status/1430534176344793096", "text": "Learn it. Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) https://t.co/ZjU6IknlNp?amp=1 /hashtag/tech?src=hashtag_click /hashtag/digital?src=hashtag_click /hashtag/data?src=hashtag_click /hashtag/security?src=hashtag_click"}, {"link": "https://twitter.com/UtopianKnightUK/status/1430152571616890883", "text": "... to exploit CVE-2021-35395, a group of vulnerabilities in the web interface of the Realtek SDK, to spread Mirai malware to vulnerable IoT devices. /hashtag/cybernews?src=hashtag_click /hashtag/thecybernewsfeed?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1430245535064236043", "text": "(Same from about 4 hours ago.)\nI think that the most retweeted(39 times) tweet that contains CVE ID between Aug 23 2021 19:01 UTC and Aug 24 2021 19:00 UTC is:\n/bad_packets/status/1430013950364585991\nIt has CVE-2021-35395. /hashtag/l24_iflwhkp3yv5om?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1430185136973402125", "text": "(second \u2192 most)\nI think that the most retweeted(33 times) tweet that contains CVE ID between Aug 23 2021 15:01 UTC and Aug 24 2021 15:00 UTC is:\n/bad_packets/status/1430013950364585991\nIt has CVE-2021-35395. /hashtag/l24_iflwhkp3yv5om?src=hashtag_click"}, {"link": "https://twitter.com/cyberreport_io/status/1430153556779094026", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) - Help Net Security https://t.co/o2kjX0k1tC?amp=1 /hashtag/cybersecurity?src=hashtag_click /hashtag/threatintelligence?src=hashtag_click /hashtag/cybernews?src=hashtag_click"}, {"link": "https://twitter.com/BishwarupamSaha/status/1430149367567060995", "text": "New variant of /hashtag/Mirai?src=hashtag_click Botnet targeting thousands of IoT devices by abusing /hashtag/Realtek?src=hashtag_click SDK /hashtag/vulnerability?src=hashtag_click tracked as CVE-2021-35395\n/hashtag/router?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/IoT?src=hashtag_click /hashtag/botnet?src=hashtag_click /hashtag/infosec?src=hashtag_click /hashtag/threatIntel?src=hashtag_click"}, {"link": "https://twitter.com/SouthSeasData/status/1430184283914842113", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) https://t.co/1tutAQnAKd?amp=1\n/hashtag/IoTSecurity?src=hashtag_click /hashtag/Realtek?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/Mirai?src=hashtag_click /hashtag/malware?src=hashtag_click /hashtag/botnet?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/CVE?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/Security_411/status/1430186646079561736", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395)"}]}, "vulnersScore": 2.3}, "cpe": ["cpe:/a:realtek:realtek_jungle_sdk:3.4.14b"], "affectedSoftware": [{"cpeName": "realtek:realtek_jungle_sdk", "name": "realtek realtek jungle sdk", "operator": "le", "version": "3.4.14b"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:realtek:realtek_jungle_sdk:3.4.14b:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.4.14b", "versionStartIncluding": "2.0", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en"}, {"name": "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain"}, {"name": "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf", "refsource": "MISC", "tags": ["Patch"], "url": "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf"}], "cpe23": ["cpe:2.3:a:realtek:realtek_jungle_sdk:3.4.14b:*:*:*:*:*:*:*"], "cwe": ["CWE-77", "CWE-787"], "scheme": null}
{"malwarebytes": [{"lastseen": "2021-08-27T12:34:55", "description": "A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to [launch huge Distributed Denial of Service](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) (DDoS) attacks.\n\nLast time it was a [vulnerability in the Arcadyan firmware](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) found in devices distributed by some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nA similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.\n\n### Vulnerabilities\n\nThe vulnerabilities were found and disclosed by [IoT Inspector](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>), a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>) contains a pretty dense explanation, but it boils down as follows.\n\nThere are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to "unsafe" copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.\n\nFor anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.\n\nThe description ends:\n\n> Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones\u2026\n\nIn other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.\n\n### Same botnet, same operator?\n\nWith all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.\n\n[Researchers at SAM Seamless Network](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet [seen by Unit 42](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.\n\nIt also stands to reason to assume this is the actor that was responsible for the [largest DDoS attack](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) recorded to date, just last week.\n\n### Mitigation\n\nRealtek has since [patched](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nRealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a [list of affected devices courtesy of Mainstream Technologies](<https://www.mainstream-tech.com/realtek-security-notice/>) but this is only a partial list. Alongside its list, Mainstream Technologies warns that: "If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch".\n\nSo even if your device is not on it, that doesn\u2019t mean it\u2019s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.\n\nIt is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/[law enforcement](<https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/>) should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.\n\nStay safe, everyone!\n\nThe post [Realtek-based routers, smart devices are being gobbled up by a voracious botnet](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T13:36:52", "type": "malwarebytes", "title": "Realtek-based routers, smart devices are being gobbled up by a voracious botnet", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-35392", "CVE-2021-35395"], "modified": "2021-08-24T13:36:52", "id": "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-24T02:09:46", "description": "Threat actors zeroing in on command injection vulnerabilities reported in Realtek chipsets just days after multiple flaws were discovered in the software developers kits (SDK) deployed across at least 65 separate vendors.\n\nOn Aug. 16 multiple [Realtek vulnerabilities](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) were disclosed by IoT Inspector Research Lab. It took about 48 hours for attackers to start trying to exploit them. SAM Seamless Network reported two days after the bugs were made public, attackers made \u201cmultiple\u201d attempts breach the company\u2019s Secure Home product to [spread a new version of Mirai malware](<https://securingsam.com/realtek-vulnerabilities-weaponized/>).\n\n\u201cSpecifically, we noticed exploit attempts to \u2018formWsc\u2019 and \u2018formSysCmd\u2019 web pages,\u201d SAM\u2019s report on the incident said. \u201cThe exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes.\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The report goes on to link another similar attack to the attack group. On Aug. 6 Juniper Networks found a vulnerability that just two days later was also exploited to try and deliver the same Mirai botnet using the same network subnet, the report explained.\n\n\u201cThis chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\u201d SAM said. \u201cThese kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\u201d\n\nRealtek Semiconductor Corp. has not yet responded to Threatpost\u2019s request for comment, but the company did release [this advisory](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) on CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395,\n\n[Mirai\u2019s source code has exploded in popularity](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) over the years, with more than [60 variants](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) observed in the wild by last March. That number is still climbing with this latest iteration tailored to target the Realtek SDK flaws.\n\n## **Devices Targeted **\n\nConsidering the number of vendors impacted, researchers are concerned threat actors have ample first-move opportunities to exploit the bug before patches are deployed.\n\nSAM said the devices most exposed to the Realtek SDK bug are:\n\n * Netis E1+ extender\n * Edimax N150 and N300 Wi-Fo router\n * Repotec RP-WR5444 router\n\nThe original IoT Inspector report linked this kind of vulnerability to recent supply chain attacks on [SolarWinds](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) and [Kaseya](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>).\n\n\u201cAs awareness for supply chain transparency is on the rise among security experts, this example is a pretty good showcase of the vast implications of an obscure IoT supply chain, The IoT Inspector report said.\n\nJust a day after the Realtek revelations, Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), reported [a flaw in IoT cloud](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) platform ThroughTek Kalay. The vulnerability would have potentially allowed an attacker to take over an IoT device to listen to live audio, watch real-time video and more.\n\n\u201cThese types of vulnerabilities are surfacing every day and there are probably many more that have yet to be discovered\u2026,\u201d SAM\u2019s Ran Hananel told Threatpost by email.\n\n## **Securing IoT **\n\nYaniv Bar-Dayan, co-founder of Vulcan Cyber told Threatpost that IoT security in inherently tricky because often it\u2019s not clear who is responsible for the data.\n\n\u201cWhile the responsibility to bring bug fixes and patches to market should lie on the shoulders of vendors, users should be sure to rely on tried-and-true security best practices in the meantime,\u201d Bar-Dayan said. \u201cEncrypt data, use sophisticated and unique passwords or multi-factor authentication, don\u2019t broadcast your network ID, double check configurations, and, above all else, patch early and often.\u201d\n\nBesides patching, Jake Williams at BreachQuest recommends limiting web interface access to the local network.\n\n\u201cThat won\u2019t stop attacks but does limit where they can be conducted from,\u201d Williams said. \u201cThis is particularly true for administrative interfaces.\u201d\n\nIt\u2019s also up to developers to know the code their using is secure. A [Software Bill of Materials (SBOMs)](<https://threatpost.com/executive-order-cybersecurity-federal-agencies/165056/>) are one solution being pushed by the U.S. government in the wake of the SolarWinds breach.\n\n\u201cDevelopers of any type of software like to use SDKs because it enables them to implement capabilities into their software without having to build it themselves,\u201d Hank Schless from Lookout told Threatpost. \u201cThis is broadly practiced, and there\u2019s a level of implicit trust that developers have in those that build these SDKs that everything packaged inside of them will be safe. However, just like with any other type of software, SDKs have their inevitable flaws.\u201d\n", "cvss3": {}, "published": "2021-08-23T14:08:42", "type": "threatpost", "title": "Attackers Actively Exploiting Realtek SDK Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-23T14:08:42", "id": "THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA", "href": "https://threatpost.com/attackers-exploiting-realtek/168856/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-08-24T05:35:04", "description": "[](<https://thehackernews.com/images/-PiZWCeBTtNg/YRtRHWkDPnI/AAAAAAAADjU/14jyow9NKv8ROnMPT_eVpKuR-OFvSGofACLcBGAsYHQ/s0/wifi.jpg>)\n\nTaiwanese chip designer Realtek is warning of [four security vulnerabilities](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors.\n\nThe flaws, which affect Realtek SDK v2.x, Realtek \"Jungle\" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek \"Luna\" SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege \u2014\n\n * **CVE-2021-35392** (CVSS score: 8.1) - Heap buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe crafting of SSDP NOTIFY messages\n * **CVE-2021-35393** (CVSS score: 8.1) - Stack buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header\n * **CVE-2021-35394** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in 'UDPServer' MP tool\n * **CVE-2021-35395** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities in HTTP web server 'boa' due to unsafe copies of some overly long parameters\n\n[](<https://thehackernews.com/images/-EIgcKb_iBEk/YRtP5RJMxMI/AAAAAAAADjM/cTEyKOzn0asMcS1ihlaXo5YwzZ7xyMNxQCLcBGAsYHQ/s0/wifi-hack.gif>)\n\nImpacting devices that implement wireless capabilities, the list includes residential gateways, travel routers, WiFi repeaters, IP cameras to smart lightning gateways, or even connected toys from a wide range of manufacturers such as AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, Zyxel, and Realtek's own router lineup.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\n\"We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,\" researchers said.\n\nWhile patches have been released for Realtek \"Luna\" SDK in version 1.3.2a, users of the \"Jungle\" SDK are recommended to backport the fixes provided by the company.\n\nThe security issues are said to have remained untouched in Realtek's codebase for more than a decade, German cybersecurity specialist IoT Inspector, which [discovered](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) the weaknesses, said in a report published Monday three months after disclosing them to Realtek in May 2021.\n\n\"On the product vendor's end, [...] manufacturers with access to the Realtek source code [...] missed to sufficiently validate their supply chain, [and] left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers \u2014 leaving them vulnerable to attacks,\" the researchers said.\n\n**_Update:_** Three days after details about the Realtek vulnerabilities were revealed, active exploitation attempts have been detected to spread a variant of a Mirai malware and rope the compromised devices into the botnet. The same threat actor behind this Mirai-based botnet has also been linked to a [string of attacks](<https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html>) at least since February 2021, leveraging newly disclosed flaws in network security appliances and home routers to their advantage.\n\n\"This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\" network security firm SAM Seamless Network [said](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) last week. \"These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-08-17T06:19:00", "type": "thn", "title": "Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly a Million IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-24T04:42:33", "id": "THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1", "href": "https://thehackernews.com/2021/08/multiple-flaws-affecting-realtek-wi-fi.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}
