4 Vulnerabilities in Realtek SDK Affect 200 Device Models From 65 Vendors

• Millions of devices have been vulnerable to remote exploitation for over a decade already.
• This comes with the discovery of four critical flaws in Realtek SDK, used by 65 vendors.
• Providing fixes for all the affected models is a complicated matter and not every model will be covered.

Realtek is a Taiwanese semiconductor company specializing in audio, WiFi, and peripheral connectivity solutions, which enjoys high levels of market penetration. As such, whenever a nasty flaw is found on its products, either on the software or hardware level, it affects a wide range of products, and it’s practically difficult to address. In the most recent example of that, a team of researchers has found four critical vulnerabilities in Realtek’s SDK that affect 200 device models from 65 vendors - and possibly hundreds of thousands of IoTs out there.

The four flaws, along with a short description, are the following:

• CVE-2021-35392: Heap buffer overflow in Realtek Jungle SDK versions 2.x and up to 3.4.14B, relying upon the unsafe crafting of SSDP NOTIFY messages in ‘WiFi Simple Config’. CVSS score – 8.1
• CVE-2021-35393: Stack buffer overflow in ‘WiFi Simple Config’, caused by the unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header. Exploiting this flaw can lead to remote unauthenticated arbitrary code execution on the target device. CVSS score – 8.1
• CVE-2021-35394: Multiple memory corruption flaws in ‘UDPServer’ MP tool, potentially leading to arbitrary command injection from remote unauthenticated attackers. Affects Realtek Jungle SDK versions 2.x and up to 3.4.14B. CVSS score – 9.8
• CVE-2021-35395: Multiple buffer overflow vulnerabilities in HTTP web server 'boa' due to unsafe copies of some overly long parameters. Exists in Realtek Jungle SDK versions 2.x and up to 3.4.14B where the exposure of the management interface that offers an exploitable access point is available.

The researchers who discovered the above flaws contacted Realtek on May 17, 2021, and provided PoC scripts as required. Realtek patched the identified issues by June 10, 2021, except for the 2.x branch, which is 11 years old and is no longer supported. This also means the four flaws have plagued some Realtek products for over a decade now. As the report points out, some of the vendors had access to the Realtek SDK source code, so they missed the flaws or didn’t care enough to put effort into scrutinizing their supply chain.

Getting the fixes downstream is a complicated matter now, as device vendors will have to prepare and push their own patches. The manufacturers listed as affected include ASUS, Belkin, Beeline, D-Link, Huawei, LG, Logitech, Netgear, TCL, ZTE, and Zyxel, so the impact is pretty wide. The full list of the affected models is given in the detailed report, so you can check for yourself. Realtek has also published an advisory which you may check here.