According to experts, a security hole in Realtek network chips is already being used extensively to create botnets using a variant of Mirai malicious code. At least 65 manufacturers are affected. Despite the patch, closing the gap is difficult.
Using the vulnerability published on August 16 by SAM Seamless Network, unauthenticated attackers are said to be able to completely compromise the target device and execute arbitrary code with the highest authorization level. A buffer overflow error found by IoT Inspector is used for this. According to the researchers, it is primarily IoT devices that are infected in order to connect them to botnets and start extensive distributed denial-of-service attacks (DDoS). For this, a variant of the Mirai malware, which was found 5 years ago, is used. According to the experts, the vulnerability with the ID CVE-2021-35395 appears to be just one of several gaps that can be found in various Realtek wireless SoCs and their origin in the software development kits (SDKs) of the chip manufacturer can be found.
crash or takeover
The weak point essentially concerns an HTTP web server component of the SDKs, which provides two web-based management interfaces with “Boa” and “webs”. By transmitting specially prepared parameters, attackers can cause buffer overflows on the servers. While the researchers assume that the attacks can completely take over devices from the intruders, Realtek assumes that the attack can only crash the servers. There is also the possibility that the behavior of device to device will be different.
Large-scale manufacturers and devices affected
The vulnerability affects more than 65 manufacturers, including devices from AsusTEK, D-Link, Logitec, Netgear and Zyxel, as well as a wide range of products, from VoIP and wireless routers to repeaters, IP cameras and smart lighting controls – a total of more than 200 device types. A list of the previously known affected manufacturers can be found in the attachment of a blog entry by IoT Inspector.
Patch already exists, but …
An update was made by Realtek Already made available in mid-August, but the distribution is difficult: First the manufacturers of the respective devices have to implement the patch made available in their devices with new firmware versions and distribute the update. As the last link in the chain, users must also receive knowledge of the vulnerability and urgency of the update and import it. It can be doubted that this will happen in its entirety.
Affected owners are advised to install the update as soon as possible and either to protect corresponding devices from attacks from the network or to protect them until then to take them completely offline if necessary.