Talos Vulnerability Report

TALOS-2023-1874

Realtek rtl819x Jungle SDK boa formUpload firmware update vulnerability

July 8, 2024

CVE Number

CVE-2023-34435

SUMMARY

A firmware update vulnerability exists in the boa formUpload functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted network packets can lead to arbitrary firmware update. An attacker can provide a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11

PRODUCT URLS

rtl819x Jungle SDK - <https://www.realtek.com/en/&gt; WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103&gt;

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-347 - Improper Verification of Cryptographic Signature

DETAILS

The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.

This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.

The WBR-6013 router has a web server called boa. This web server offers, through the /boafrm/formUpload, API functionality to upgrade the firmware with a newer one. The WBR-6013, throughout the whole firmware upgrade process, never checks the validity of the uploaded firmware. This allows an attacker to upgrade the router with an arbitrary firmware.

VENDOR RESPONSE

Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

---

Vulnerability Reports Next Report

TALOS-2023-1873

Previous Report

TALOS-2023-1871