A serious vulnerability has been discovered in SD cartridges from Realtek, which poses a threat to the security of laptops manufactured by leading companies such as Dell and Lenovo. The issue is related to the “RTSper.Sys” driver, which allows attackers without Windows administrator rights to read and write to the device, as well as gain access to the system’s core.
The vulnerability was initially found in January 2022 during the analysis of devices in the Windows Object Manager system. The driver had overly permissive access rights, allowing for a deeper study of its vulnerability. Realtek released the first corrected version in April 2022, but a key issue with access through the DMA controller remained undiscovered. This oversight was only identified a year later during a re-evaluation.
The problem impacts various SD card readers, including the RTS5260 and RTS5228, which are used in laptops from manufacturers such as Dell, HP, Lenovo, and MSI. The vulnerability enables attackers to extract data from the core, manage memory, and bypass the operating system’s protective mechanisms.
While Realtek claimed to have fixed five vulnerabilities back in 2022, including CVE-2022-25476, CVE-2022-25477, CVE-2022-25478, CVE-2022-25479, and CVE-2022-25480, the CVE-2022-25476 vulnerability was only fully addressed in a recent update. Additionally, two new vulnerabilities, CVE-2024-40431 and CVE-2024-40432, were also patched.
One of the most critical vulnerabilities, CVE-2022-25479, involves data leakage from the core, opening the door to further system attacks. CVE-2022-25480 and CVE-2024-40431 allow data recording at arbitrary core addresses, potentially compromising the system. These issues significantly increase the operational risk, especially in systems that have not updated the driver to version 10.0.26100.21374 or higher.
Initially, the researcher who discovered the vulnerabilities intended to provide detailed information about the fixes, including release dates and download links. However, communication with Realtek became challenging over time, leading to a decision to stop gathering this information.
Users are strongly advised to verify the availability of updates for their devices. For SD card readers managed by “rtsper.sys,” installing the latest driver version is crucial to mitigate potential attacks.