Advisory: Multiple issues in Realtek SDK affect hundreds of thousands of devices down the supply chain

Resources

Research

Advisory: Multiple issues in Realtek SDK affect hundreds of thousands of devices down the supply chain

Quentin Kaiser

Lead Security Researcher

August 15, 2021

min read

TablE of contents

Example H2

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

At least 65 vendors affected by severe vulnerabilities that enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege.

Overview

Over the course of a research project focusing on a specific cable modem, we identified that the system was using a dual-SoC design. The main SoC was running a Linux system, while the second SoC – a dedicated Realtek RTL819xD chipset implementing all the access point functions – was found to be running another, stripped-down Linux system from Realtek.

Realtek chipsets are found in many embedded devices in the IoT space. RTL8xxx SoCs – which provide wireless capabilities – are very common. We therefore decided to spend time identifying binaries running on the RTL819xD on our target device, which expose services over the network and are provided by Realtek themselves. Such binaries are packaged as part of the Realtek SDK, which is developed by Realtek and provided to vendors and manufacturers who use the RTL8xxx SoCs.

Supported by IoT Inspector’s firmware analysis platform, we performed vulnerability research on those binaries and identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP (management web interface), and a custom network service from Realtek.By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege.

We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the Internet. Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, Wi-Fi repeaters, IP cameras to smart lightning gateways or even connected toys.

Affected vendor & product	Realtek SDK (www.realtek.com)
Vendor Advisory	Vendor Advisory (realtek.com) Realtek SDK Advisory PDF
Vulnerable version	Realtek SDK v2.x Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT Realtek “Luna” SDK up to version 1.3.2
Fixed version	Realtek SDK branch 2.x: no longer supported by Realtek. Realtek “Jungle” SDK: patches will be provided by Realtek and need to be backported. Realtek “Luna” SDK: version 1.3.2a contains fixes.
CVE IDs	CVE-2021-35392 (‘WiFi Simple Config’ stack buffer overflow via UPnP) CVE-2021-35393 (‘WiFi Simple Config’ heap buffer overflow via SSDP) CVE-2021-35394 (MP Daemon diagnostic tool command injection) CVE-2021-35395 (management web interface multiple vulnerabilities)
Impact (CVSS)	CVE-2021-35392 – 8.1 (high) – AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-35393 – 8.1 (high) – AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-35394 – 9.8 (critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-35395 – 9.8 (critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit	Q. Kaiser, IoT Inspector Research Lab

Realtek SDK Vulnerabilities

Key Takeaways
As awareness for supply chain transparency is on the rise among security experts, this example is a pretty good showcase of the vast implications of an obscure IoT supply chain. As opposed to recent supply chain attacks such as Kaseya or Solar Winds, where perpetrators went to great lengths to infiltrate the vendor’s release processes and place hidden backdoors in product updates, this example is far less sophisticated – and probably way more common, for three simple reasons:

On the supplier’s end, insufficient secure software development practices, in particular lack of security testing and code review, resulted in dozens of critical security issues to remain untouched in Realtek’s codebase for more than a decade (from 2.x branch through “Jungle“ SDK to “Luna” SDK).
On the product vendor’s end, we see manufacturers with access to the Realtek source code (a requirement to build Realtek SDK binaries for their own platform) who missed to sufficiently validate their supply chain, left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers – leaving them vulnerable to attacks.
But supply chain issues can go upstream, too. During our research, we discovered that security researchers and pen-testers have previously identified issues in devices relying on the Realtek SDK, but didn’t link these issues to Realtek directly. Vendors who received reports of these vulnerabilities fixed them in their own branch but did not notify Realtek, leaving others exposed.
Our firmware analysis platform IoT Inspector can support in detecting such crucial supply chain issues. It automatically detects whether a firmware is based on a vulnerable Realtek SDK, along with its specific version. It can also detect each vulnerability we reported, and whether or not the provided patch has been applied.

Please keep reading for the full details of our research process.

[...CONTENT OMITTED FOR BREVITY BUT REMAINS UNCHANGED...]

Timeline
2021-05-17 – Ask Realtek security team for a way to send our report securely.
2021-05-18 – Realtek security team provides their PGP key, we send encrypted advisories.
2021-05-25 – Realtek security team request Python PoC scripts.
2021-05-25 – We provide scripts for every reported vulnerability.
2021-06-10 – Realtek security team provides us the patched code, along with a patched firmware for the 96D_92D demo boards.
2021-06-10 – We review the patch and send our comments related to checks that could still be bypassed.
2021-06-11 – Realtek security team provides us with the exact list of affected versions for “Jungle” and “Luna” SDKs. The 2.x branch is no longer supported by Realtek, being 11 years old.
2021-06-16 – We request CVE identifiers from MITRE.
2021-08-05 – We receive CVE identifiers from MITRE.
2021-08-13 – Realtek publish its advisory.
2021-08-16 – End of 90 days disclosure window, releasing this post.
Appendix
List of (known) affected manufacturers

‍

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
team@euromarcom.de

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

READY TO UPGRADE YOUR RISK MANAGEMENT?

Overview

About Onekey

RELATED RESEARCH ARTICLES

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6199)

Security Advisory: Remote Code Execution on Viasat Modems (CVE-2024-6198)

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones

Ready to automate your Product Cybersecurity & Compliance?