A flaw in Realtek SDK exposes SOHO routers to the attack

Pierluigi Paganini April 30, 2015

A flaw affecting Realtek SDK exposes SOHO routers to remote code execution attacks. List of vulnerable devices include D-Link and TRENDnet products.

The security expert from DVLabs security researcher and content developer at HP Enterprise Security Ricky Lawshae discovered a (CVE-2014-8361) vulnerability that affects Realtek SDK used for RTL81xx chipsets.

The exploitation of the vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the vulnerable systems with root privileges.

Routers RealTek SDK 2

The expert reported the vulnerability to HP’s Zero-Day Initiative (ZDI) in August 2014, but after a prolonged silence of the company, ZDI decided to disclose the flaw that was rated with a CVSS score of 10.

“The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call,” reads an advisory published by ZDI.

The expert was able to exploit of the flaw on two families of routers, the D-Link and the TRENDnet routers, which used the RTL81xx chipsets, anyway other SOHO devices from other vendors use the same chipset. Lawshae speculates that devices using the miniigb binary from the Realtek SDK are affected by the flaw.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.” is the mitigation strategy described in the advisory.

Realtek has not released any comment.

Security flaws in SOHO devices are very dangerous because they could be exploited by threat actors for large-scale attacks as happened in March 2014 when researchers at Team Cymru published a detailed report on a large scale SOHO pharming attack that hit more than 300,000 devices worldwide.

Pierluigi Paganini

(Security Affairs – Realtek , SOHO device)

you might also like

leave a comment