This is what happens with the vulnerability discovered by German researchers and confirmed by the own Realtek. The Taiwanese company has announced that there are four vulnerabilities in three of its development kits (SDKs). The bugs have been detected in Realtek SDK v2.x, Realtek “Jungle” SDK v3.0 / v3.1 / v3.2 / v3.4.x / v3.4T / v3.4T-CT, and Realtek “Luna” up to versions 1.3.2.
These flaws allow an attacker full access to the device and arbitrarily execute code with the highest level of privileges. The complete list of faults is as follows:
- CVE-2021-35392 (CVSS score: 8.1) – ‘WiFi Simple Config’ server buffer overflow vulnerability due to insecure SSDP NOTIFY message creation
- CVE-2021-35393 (CVSS score: 8.1) – Buffer overflow vulnerability on ‘WiFi Simple Config’ server due to insecure parsing of UPnP SUBSCRIBE / UNSUBSCRIBE callback header
- CVE-2021-35394 (CVSS score: 9.8): multiple buffer overflow vulnerabilities and an arbitrary code injection vulnerability in MP tool ‘UDPServer’
- CVE-2021-35395 (CVSS score: 9.8) – Multiple buffer overflow vulnerabilities in HTTP web server due to insecure copies of some too long parameters
Devices from 47 brands affected
Those affected include all kinds of IoT devices, including gateways, 4G routers, WiFi repeaters, security cameras, smart light bulbs, and even toys for children. The affected manufacturers include devices from 47 brands. Models are available in this link, and affect the following manufacturers:
- Abocom System Inc.
- AIgital
- Amped Wireless
- Askey
- ASUSTek Computer Inc.
- BEST ONE TECHNOLOGY CO., LTD.
- Beeline
- Belkin
- Buffalo Inc.
- Calix Inc.
- China Mobile Communication Corp.
- Compal Broadband Networks, INC.
- D-Link
- DASAN Networks
- Davolink Inc.
- Edge-core
- Edimax
- Edison
- EnGenius Technologies, Inc.
- ELECOM Co., LTD.
- Esson Technology Inc.
- EZ-NET Ubiquitous Corp.
- IFAD
- Hama
- Hawking Technologies, Inc.
- MT-Link
- Huawei
- IO DATA DEVICE, INC.
- iCotera
- IGD
- LG International
- LINK-NET TECHNOLOGY CO., LTD.
- Logitec
- MMC Technology
- MT-Link
- NetComm Wireless
- Netis
- Netgear
- Nexxt Solutions
- Watch Telecom
- Occtel
- Omega Technology
- PATECH
- PLANEX COMMUNICATIONS INC.
- Planex Communications Corp.
- PLANET Technology
- Realtek
According to the researchers who discovered the vulnerability, they have detected at least 198 unique devices that have responded through UPnP to the requests sent. Assuming that thousands of units of each of these devices have been sold, we are facing a failure that affects million devices that are in the hands of the users.
The security flaw is fixed for the version of the Luna development kit in version 1.3.2a, while Jungle users will have to implement the patches that the company has released.
These failures have been present for more than a decade in the Realtek code, German IoT Inspector researchers revealed three months after reporting the bugs to Realtek. The researchers criticize the manufacturers, stating that none of them checked the code they were implementing for vulnerabilities like this one. Now it only remains that the security patches reach the affected devices, where it can be dangerous to use old WiFi devices as repeaters and that they are affected by the failure if they are not going to receive security patches.