Critical Vulnerability in Realtek Devices Affects Millions of Devices
A critical vulnerability tracked as CVE-2022-27255 was reported to be affecting the network devices of Realtek’s SDK system.
The affected version includes Realtek’s SDK system affecting rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series. In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data. The vulnerability affects devices from several original equipment manufacturers, including routers and access points to signal repeaters. Threat actors exploiting the vulnerability could crash the targeted devices, execute arbitrary code, deliver and execute a backdoor for maintaining persistence on the victim’s machine and intercept and reroute network traffic.
Four researchers from Faraday Security has produced the proof-of-concept for the vulnerability and noted that CVE-2022-27255 is a zero-click vulnerability, suggesting that the exploitation of the vulnerability is silent and does not require any user interaction except an external IP address of the vulnerable device.
Even though, Realtek addressed the issue in March it stills affects millions of devices including rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.
“Despite a patch being available since March the vulnerability affects “many (millions) of devices” and that a fix is unlikely to propagate to all devices. This is because multiple vendors use the vulnerable Realtek SDK for equipment based on RTL819x SoCs and many of them have yet to release a firmware update. It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the SoC was present in products from more than 60 vendors. Among them ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel.” Said Johannes Ullrich, Dean of Research at SANS
Recommendations
Users are recommended to check their networking equipment against the vulnerability and install a firmware update if available. The organizations can also try to block the unsolicited UDP request.
Source
