Pierluigi Paganini February 06, 2021

Critical flaws in the Realtek RTL8195A Wi-Fi module could have been exploited to gain root access and take over devices’ wireless communications.

Researchers from Israeli IoT security firm Vdoo found six vulnerabilities in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take control of a device’s wireless communications.

The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications in multiple industries. 

The module implements an “Ameba” API to allow developers to communicate with the device via Wi-Fi, HTTP, and MQTT, which is a lightweight messaging protocol for small sensors and mobile devices.

Realtek supplies their own “Ameba” API to be used with the device, which allows any developer to communicate easily via Wi-Fi, HTTP, mDNS, MQTT and more.

“As part of the module’s Wi-Fi functionality, the module supports the WEP, WPA and WPA2 authentication modes.” reads the analysis published by the experts.

“In our security assessment, we have discovered that the WPA2 handshake mechanism is vulnerable to various stack overflow and read out-of-bounds issues.”

The flaws discovered by the experts Experts discovered are stack overflow and out-of-bounds issues that are related to the Wi-Fi module’s WPA2 four-way handshake mechanism during authentication.

The vulnerabilities discovered by Vdoo also impact other modules, including RTL8711AM, RTL8711AF, and RTL8710AF.

The most severe issue we discovered is VD-1406, a remote stack overflow that allows an attacker in the proximity of an RTL8195 module to completely take over the module, without knowing the Wi-Fi network password (PSK) and regardless of whether the module is acting as a Wi-Fi access point or client. The attack scenarios are detailed in the next section: “Technical Deep-Dive”.

The most severe vulnerability, tracked as CVE-2020-9395, is a remote stack overflow that could be exploited by attackers in the proximity of a vulnerable RTL8195 module to completely take over it. The experts pointed out that the attackers don’t need the knowledge of the Wi-Fi network password (PSK) or whether the module is acting as a Wi-Fi access point or client.

The experts discovered to denial of service flaws and three flaws that could allow an attacker the exploitation of Wi-Fi client devices and the execution of arbitrary code.

Below the full list of flaws discovered by the expers:

• VD-1406 (CVE-2020-9395) – Stack-based buffer overflow vulnerability
• VD-1407 (CVE-2020-25853) – Read out of bounds vulnerability
• VD-1408 (CVE-2020-25854) – Stack-based buffer overflow vulnerability;
• VD-1409 (CVE-2020-25855) – Stack-based buffer overflow vulnerability
• VD-1410 (CVE-2020-25856) – Stack-based buffer overflow vulnerability
• VD-1411 (CVE-2020-25857) – Stack-based buffer overflow vulnerability

In order to address the flaws, users have to download the updated versions of the Ameba SDK from Realtek’s website. The latest version of Ameba Arduino (2.0.8) contains patches for all the above issues.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]