In Realtek SDK components, which is used by various manufacturers of wireless devices in their firmware, detected four vulnerabilities , allowing The unauthenticated attacker remotely execute the code on the device with increased privileges. According to preliminary estimate, problems affect at least 200 models of devices from 65 different suppliers, including various models of wireless routers Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT-Link, Netgear , Realtek, SmartLink, Upvel, ZTE and ZyXEL.
The problem covers various classes of wireless devices based on SOC RTL8XXX, from wireless routers and Wi-Fi amplifiers to IP cameras and smart lighting control devices. In devices based on RTL8XXX chips, an architecture that implies the installation of two SOCs is a first to install the manufacturer firmware based on Linux, and on the second, a separate trimmed Linux environment is running with the implementation of the access point functions. The filling of the second environment is based on typical components provided by RealTek in SDK. These components, including process data coming as a result of sending external requests.
Vulnerabilities affect products that use Realtek SDK v2.x, Realtek “Jungle” SDK v3.0-3.4 and Realtek “Luna” SDK to version 1.3.2. Correction has already been released in updating Realtek “Luna” SDK 1.3.2A, and also prepare for Publication Patches for Realtek “Jungle” SDK. For REALTEK SDK 2.x, the corrections are not planned to be released, as the support of this branch has already been discontinued. For all vulnerabilities, the working prototypes of the exploits are provided, allowing to achieve their code on the device.
identified vulnerabilities (the first two was assigned a hazard level 8.1, and the rest – 9.8):
- CVE-2021-35392 – Buffer overflow in the MINI_UPNPD and WSCD processes that implement the WiFi Simple Config functionality (mini_upnpd is engaged in the processing of SSDP packets, and the WSCD except SSDP support is maintained by the UPNP requests based on the HTTP protocol). The attacker can make the execution of its code through sending specially decorated UPNP requests “Subscribe” with a too large value of the port number in the “Callback” field. SUBSCRIBE / UPNP / EVENT / WFAWLANCONFIG1 HTTP / 1.1 Host: 192.168.100.254:52881 Callback: NT: UPNP: EVENT
- CVE-2021-35393 – Vulnerability in “WiFi Simple Config” processors, manifested when using the SSDP protocol (uses UDP and query format similar to HTTP). The problem is caused by using a fixed buffer, the size of 512 bytes, when processing the “ST: UPNP” parameter in M-SEARCH messages sent by clients to determine the availability of services on the network.