Exploit Code of Critical Realtek SDK Vulnerability Released

An exploit code is accessible for the Realtek eCos SDK‘s high severity security flaw. The flaw could allow unauthenticated remote attackers to:

Execute arbitrary code
Crash networking devices
Create backdoors
Intercept network traffic
Modify network traffic route

Devices utilizing firmware created with Realtek eCOS SDK before March are at risk, and routers are the most affected among other IoT devices.

How Does the Vulnerability Affect?

With a severity rating of 9.8, CVE-2022-27255 is a stack-based buffer overflow that allows RCE by leveraging specially crafted SIP packets with malicious SDP data.

Realtek, the semiconductor company with roots in Taiwan, released a patch in March to address the eCos SDK flaw. Realtek fixed the vulnerability and stated that it might be exploited through a WAN interface, affecting the rtl819x-eCos-v0.x and rtl819x-eCos-v1.x series.

At the DEFCON hacker conference last week, researchers from Faraday Security revealed technical information about the vulnerability. They also created a Proof-of-concept (PoC) exploit code for the flaw, which is compatible with Nexxt Nebula 300 Plus routers.

According to the researchers, routers operating with default settings are susceptible to attacks and thus can be compromised remotely by using the vulnerability and the internet. For successful exploitation, user interaction is not necessary. The vulnerable device’s external IP address is all that an attacker would need to exploit this flaw.

Over 60,000 Routers Unprotected

The vulnerability also affects the products of vendors other than Realtek.

Researchers found nearly 20 vendors who use products vulnerable to CVE-2022-27255, including D-Link, Nexxt, Tenda, and Intelbras. Over 60,000 routers with unprotected admin panels were also found.

“The admin panel is not enabled by default, so the total number of exposed devices should be greater.”, said researcher Gianatiempo.

They also released a video demonstrating how the device might be compromised by a remote attacker even if remote management functions are disabled.

Is There a Way of Mitigation?

A SANS researcher cautions if an exploit of this flaw turns into a worm, it might propagate over the internet in minutes; and says even though a patch has been available, the vulnerability affects many devices, and a remedy is unlikely to be implemented to all of them. Here is a Snort rule researcher Ullrich developed that can identify the PoC exploit.

Attackers can exploit the flaw by sending a single UDP packet to any port, so blocking insecure UDP requests is advised.

If vendors have provided firmware updates after March, users should install and check to see if their networking device is vulnerable.