A flaw in Realtek SDK exposes SOHO routers to the attack

A flaw affecting Realtek SDK exposes SOHO routers to remote code execution attacks. List of vulnerable devices include D-Link and TRENDnet products.

The security expert from DVLabs security researcher and content developer at HP Enterprise Security Ricky Lawshae discovered a (CVE-2014-8361) vulnerability that affects Realtek SDK used for RTL81xx chipsets.

The exploitation of the vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the vulnerable systems with root privileges.

The expert reported the vulnerability to HP’s Zero-Day Initiative (ZDI) in August 2014, but after a prolonged silence of the company, ZDI decided to disclose the flaw that was rated with a CVSS score of 10.

“The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call,” reads an advisory published by ZDI.

The expert was able to exploit of the flaw on two families of routers, the D-Link and the TRENDnet routers, which used the RTL81xx chipsets, anyway other SOHO devices from other vendors use the same chipset. Lawshae speculates that devices using the miniigb binary from the Realtek SDK are affected by the flaw.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.” is the mitigation strategy described in the advisory.

Realtek has not released any comment.

Security flaws in SOHO devices are very dangerous because they could be exploited by threat actors for large-scale attacks as happened in March 2014 when researchers at Team Cymru published a detailed report on a large scale SOHO pharming attack that hit more than 300,000 devices worldwide.

Pierluigi Paganini

(Security Affairs – Realtek , SOHO device)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.