Realtek SDK flaws exploited to deliver Mirai bot variant

Researchers warn that threat actors are actively exploiting Realtek SDK vulnerabilities since their technical details were publicly disclosed.

Researchers from SAM Seamless Network warn that threat actors are actively exploiting Realtek SDK vulnerabilities since their technical details were publicly disclosed.

Realtek published a security advisory on August 15 to warn customers about security updates to address vulnerabilities in its software developers kits (SDK) which is used by at least 65 separate vendors.

On August 15, firmware security company IoT Inspector published details about the flaws.

SAM Seamless Network observed threat actors exploiting the vulnerabilities since August 18.

“On August 16th, three days ago, multiple vulnerabilities in a software SDK distributed as part of Realtek chipsets were disclosed by IoT Inspector Research Lab [1]. The vulnerabilities allow attackers to fully compromise and take control of affected devices. Just yesterday, only two days after the publication, our home security solution, Secure Home, detected attempts to exploit these vulnerabilities to spread a variant of a Mirai malware.” reported IoT Inspector.

“One of the vulnerabilities disclosed, CVE-2021-35395 [2], affects the web interface that is part of the SDK, and is a collection of 6 different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.”

Experts from IoT Inspector discovered more than a dozen vulnerabilities in the Realtek SDK used by companies that use its RTL8xxx chips. Experts reported that some of the flaws could allow a remote, unauthenticated attacker to take complete control of a vulnerable device.

“Supported by IoT Inspector’s firmware analysis platform, we performed vulnerability research on those binaries and identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP (management web interface), and a custom network service from Realtek.” reported IoT Inspector.

“By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege. We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the Internet. Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, Wi-Fi repeaters, IP cameras to smart lightning gateways or even connected toys.”

Affected devices include routers, IP cameras, Wi-Fi repeaters and residential gateways from multiple brands, such as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The flaws were collectively tracked as CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395 and SAM experts observed that the CVE-2021-35395 has been exploited in the wild to spread a Mirai bot.

“One of the vulnerabilities disclosed, CVE-2021-35395 [2], affects the web interface that is part of the SDK, and is a collection of 6 different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.” states SAM experts. “Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks [3]. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes.”

The Mirai variant involved in the attack is the same spotted by Palo Alto Networks researchers in March. In March the bot had been exploiting 10 vulnerabilities to hijack IoT devices.

On August 6, Juniper Networks reported that threat actors were actively exploiting a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot, the same variant exploiting the CVE-2021-35395 flaws.

“According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK: Netis E1+ extender, Edimax N150 and N300 Wi-Fi router, Repotec RP-WR5444 router,” continues SAM. “These devices are used mainly to enhance Wi-Fi reception.”

SAM experts published full attack details along with indicators of compromise (IOCs) for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, InkySquid)

[adrotate banner=”5″]

[adrotate banner=”13″]

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Realtek)

[adrotate banner=”5″]

[adrotate banner=”13″]