Realtek Wi-Fi SDK vulnerabilities affect 65 vendors and hundreds of thousands of IoT devices
Flaws affecting devices, from IP cameras to residential gateways, travel routers, smart lightning gateways, Wi-Fi repeaters and connected toys now patched
Taiwanese chip designer Realtek has released patches to address four critical security vulnerabilities in its Wi-Fi software development kits (SDKs) that are used in almost 200 Internet of Things (IoT) product lines offered by at least 65 hardware manufacturers.
The security flaws were discovered by the researchers at German cybersecurity firm IoT Inspector, over the course of a research project that focused on a specific cable modem.
During the project, the researchers identified some issues with the Realtek RTL819xD chipset, and decided to closely examine the binaries that were running on that specific chip.
RTL819xD chipset provides wireless connectivity to manufacturers' IoT kit, and the software is used in a variety of products ranging from WiFi routers to IP cameras.
Researchers say analysis of binaries revealed that they contained multiple vulnerabilities, ranging from memory corruption to command injection impacting UPnP, HTTP (management web interface), and a custom network service from Realtek.
The four critical bug discovered by the IoT Inspector researchers are:
- CVE-2021-35392: 'WiFi Simple Config' stack buffer overflow via UPnP
- CVE-2021-35393: heap-based buffer overflow
- CVE-2021-35394: a command injection in the MP Daemon diagnostic tool
- CVE-2021-35395: multiple bugs in the SDK's management web interface
These flaws affect Realtek SDK v2.x; Realtek 'Luna' SDK up to version 1.3.2; and Realtek 'Jungle' SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT and cover a wide range of devices, from IP cameras to residential gateways, travel routers, smart lightning gateways, Wi-Fi repeaters, and even connected toys.
The list of vendors affected includes Huawei, LG, Logitech, Asus, D-Link, Belkin, Beeline, Edimax, ZTE, Netgear and more.
According to researchers, threat actors could exploit these bugs remotely to fully compromise the target device and run arbitrary code with the highest level of privilege.
"We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million," researchers stated in a blog post.
Florian Lukavsky, MD at IoT Inspector, said they notified Realtek about the security vulnerabilities in May 2021, after which the firm took immediate steps to issue patches for the security holes in its software.
Realtek has now released patches [pdf] for "Luna" SDK in version 1.3.2a, while users of "Jungle" SDK are recommended to backport the fixes provided by the company.
Realtek SDK branch 2.x is no longer supported by Realtek.