- Four students at the University of Buenos Aires, Octavio Gianatiempo, Octavio Galland, Emilio Couto, and Javier Aguinaga were credited for finding the vulnerability.
- The vulnerability allows a remote attacker to compromise devices, including routers, access points, and signal repeaters.
- Octavio Gianatiempo and Octavio Galland demonstrated the exploit code for the vulnerability during their presentation at Defcon.
Octavio Gianatiempo and Octavio Galland announced that the exploit code for a flaw that affects networking devices with Realtek’s RTL819x system on a chip has been released. During their Defcon presentation, they claimed that there are estimated to be millions of these devices. The vulnerability is tracked as CVE-2022-27255 and can allow a remote attacker to compromise devices, including routers, access points, and signal repeaters.
Millions of vulnerable devices
Four students at the University of Buenos Aires, Octavio Gianatiempo, Octavio Galland, Emilio Couto, and Javier Aguinaga were credited for finding the vulnerability. Researchers of Argentina-based Faraday Security discovered the vulnerability in Realtek’s SDK and disclosed the technical details at Defcon.
During the presentation, the duo discussed the challenges they experienced during the analysis. They shared how could they find the root cause of the vulnerability, which was Realtek’s implementation of a networking functionality in its SDK for eCos devices. The duo also demonstrated the method which is used to automate the detection of the vulnerability in other firmware images. The researchers stated that this functionality is not documented and can’t be disabled via the router’s web interface. Gianatiempo and Galland say that the vulnerability is easy to spot, widespread, and critical.
The stack-based buffer overflow vulnerability has a severity score of 9.8. It enables attackers to execute code with specially crafted SIP packets, without authentication. The issue was addressed in March by Realtek. The company stated that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and confirmed that it can be exploited through a WAN interface.
More than 60 vendors are using the vulnerable SDK in their network devices, such as ASUSTek, Belkin, Buffalo, D-Link, Edimax, and Zyxel. The devices that use the firmware built around Realtek SDK before March are vulnerable. Attackers can use a single UDP packet to an arbitrary port, thus even the devices that don’t expose an admin interface are still vulnerable. Users are urged to install a firmware update released by their vendors if available.