backdoor, realtek, remote code execution

Exploit code has been released for a critical vulnerability affecting networking devices with Realtek’s RTL819x system on a chip (SoC), which are estimated to be in the millions.

The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.

No user interaction needed

Researchers from cybersecurity company Faraday Security in Argentina discovered the vulnerability in Realtek’s SDK for the open-source eCos operating system and disclosed the technical details last week at the DEFCON hacker conference.

The four researchers (Octavio Gianatiempo, Octavio Galland, Emilio Couto, Javier Aguinaga) credited with finding the vulnerability are computer science students at the University of Buenos Aires.

Their presentation covered the entire effort leading to finding the security issue, from picking a target to analyzing the firmware and exploiting the vulnerability, and automating the detection in other firmware images.

CVE-2022-27255 is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data.

Realtek addressed the issue in March noting that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.

The four researchers from Faraday Security have developed proof-of-concept (PoC) exploit code for CVE-2022-27255 that works on Nexxt Nebula 300 Plus routers.

They also shared a video showing that a remote attacker could compromise the device even if remote management features are turned off.

The researchers note that CVE-2022-27255 is a zero-click vulnerability, meaning that exploitation is silent and requires no interaction from the user.

An attacker exploiting this vulnerability would only need the external IP address of the vulnerable device.

Few lines of defense

Johannes Ullrich, Dean of Research at SANS says that a remote attacker could exploit the vulnerability for the following actions:

  • crash the device
  • execute arbitrary code
  • establish backdoors for persistence
  • reroute network traffic
  • intercept network traffic

Ullrich warns that if an exploit for CVE-2022-27255 turns into a worm, it could spread over the internet in minutes.

Despite a patch being available since March, Ullrich warns that the vulnerability affects “many (millions) of devices” and that a fix is unlikely to propagate to all devices.

This is because multiple vendors use the vulnerable Realtek SDK for equipment based on RTL819x SoCs and many of them have yet to release a firmware update.

It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the SoC was present in products from more than 60 vendors. Among them ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel.

The researcher says that:

  • Devices using firmware built around the Realtek eCOS SDK before March 2022 are vulnerable
  • You are vulnerable even if you do not expose any admin interface functionality
  • Attackers may use a single UDP packet to an arbitrary port to exploit the vulnerability
  • This vulnerability will likely affect routers the most, but some IoT devices built around Realtek’s SDK may also be affected

Ulrich created a Snort rule here that can detect the PoC exploit. It looks for “INVITE” messages with the string “m=audio” and triggers when there are more than 128 bytes (size of the allocated buffer by the Realtek SDK) and if none of them is a carriage return.

Users should check if their networking equipment is vulnerable and install a firmware update from the vendor released after March, if available. Other than this, organizations could try to block unsolicited UDP requests.

Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository.

TECH NEWS RELATED

5 times Google threw shade at Apple at the Pixel 7 event

Did anyone else catch these subtle digs at Apple?

View more: 5 times Google threw shade at Apple at the Pixel 7 event

Ethereum Fork ETHW Is Already Down 86% From Its All-Time High

A last-ditch effort by some Ethereum miners has so far not worked out as they had hoped.

View more: Ethereum Fork ETHW Is Already Down 86% From Its All-Time High

Netflix’s Knives Out sequel is coming to theaters first

Netflix is officially pulling out all the stops for its Knives Out sequel. This week, the streamer announced that Glass Onion: A Knives Out Mystery will come to theaters for a theatrical sneak preview event from November 23 – 29. It will be the first Netflix original film to ...

View more: Netflix’s Knives Out sequel is coming to theaters first

The easiest way to download and install Realtek HD Audio Manager

In this article, GhienCongListen will guide step by step how to download and install Realtek HD Audio Manager. Realtek HD Audio Manager is a popular software on Windows that many people do not know. Without it, your computer might not even be able to make sound. If your computer is ...

View more: The easiest way to download and install Realtek HD Audio Manager

More than half a billion dollars stolen from world's largest crypto exchange

Binance temporarily halted trading to investigate the breach.

View more: More than half a billion dollars stolen from world's largest crypto exchange

Solana Co-Founder Says 'Long-Term Fix' to Network Outages Is in the Works

Anatoly Yakovenko shared what he believes will finally solve Solana’s biggest problem.

View more: Solana Co-Founder Says 'Long-Term Fix' to Network Outages Is in the Works

Wow, Google Really, Really Wants to Be Cooler Than Apple

So many sick burns from Google to Apple this week.

View more: Wow, Google Really, Really Wants to Be Cooler Than Apple

Nintendo NY to sell special tees based on upcoming Splatoon x Pokémon Splatfest

In case you haven’t heard, the next Splatoon 3 Splatfest is a Pokémon collaboration, where players will duke it out to determine whether Grass, Fire, or Water is the best type. This means, of course, that in-game your character will receive a Splatfest Tee for your respective squad — but ...

View more: Nintendo NY to sell special tees based on upcoming Splatoon x Pokémon Splatfest

This $6.7-Million Arkansas Mansion Has Its Own 1.2-Mile Race Track

The mysteries of deja vu are closer than ever to being explained

MacBooks now called ‘laptops’ instead of ‘notebooks’ by Apple, but what’s a computer?

1992 Autozam AZ-1—the Kei Car That Dreamed It Was a Ferrari—for Sale on Bring a Trailer

What is the Quality of the Products on Temu?

David Noyes of Solar America Discusses Solar Energy Incentives for Consumers

Gray whale numbers continue decline; NOAA fisheries will continue monitoring

Microsoft: Windows 11 22H2 causes file copy performance hit

Card Blanch’s Unique Platform Simplifies Shopping For Consumers

What other storms can teach us about looming mental health impacts of Hurricane Ian

How to Store Your Vinyl Records and Maintain Their Quality

Man Wanted for Spray-Painting "NASCAR on USA" on North Carolina Sidewalks

OTHER TECH NEWS

Top Car News Car News