Exploit code has been released for a critical vulnerability affecting networking devices with Realtek’s RTL819x system on a chip (SoC), which are estimated to be in the millions.
The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.
No user interaction needed
Researchers from cybersecurity company Faraday Security in Argentina discovered the vulnerability in Realtek’s SDK for the open-source eCos operating system and disclosed the technical details last week at the DEFCON hacker conference.
Their presentation covered the entire effort leading to finding the security issue, from picking a target to analyzing the firmware and exploiting the vulnerability, and automating the detection in other firmware images.
CVE-2022-27255 is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data.
Realtek addressed the issue in March noting that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.
The four researchers from Faraday Security have developed proof-of-concept (PoC) exploit code for CVE-2022-27255 that works on Nexxt Nebula 300 Plus routers.
They also shared a video showing that a remote attacker could compromise the device even if remote management features are turned off.
The researchers note that CVE-2022-27255 is a zero-click vulnerability, meaning that exploitation is silent and requires no interaction from the user.
An attacker exploiting this vulnerability would only need the external IP address of the vulnerable device.
Few lines of defense
Johannes Ullrich, Dean of Research at SANS says that a remote attacker could exploit the vulnerability for the following actions:
- crash the device
- execute arbitrary code
- establish backdoors for persistence
- reroute network traffic
- intercept network traffic
Ullrich warns that if an exploit for CVE-2022-27255 turns into a worm, it could spread over the internet in minutes.
Despite a patch being available since March, Ullrich warns that the vulnerability affects "many (millions) of devices" and that a fix is unlikely to propagate to all devices.
This is because multiple vendors use the vulnerable Realtek SDK for equipment based on RTL819x SoCs and many of them have yet to release a firmware update.
It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the SoC was present in products from more than 60 vendors. Among them ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel.
The researcher says that:
- Devices using firmware built around the Realtek eCOS SDK before March 2022 are vulnerable
- You are vulnerable even if you do not expose any admin interface functionality
- Attackers may use a single UDP packet to an arbitrary port to exploit the vulnerability
- This vulnerability will likely affect routers the most, but some IoT devices built around Realtek's SDK may also be affected
Ulrich created a Snort rule here that can detect the PoC exploit. It looks for "INVITE" messages with the string "m=audio" and triggers when there are more than 128 bytes (size of the allocated buffer by the Realtek SDK) and if none of them is a carriage return.
Users should check if their networking equipment is vulnerable and install a firmware update from the vendor released after March, if available. Other than this, organizations could try to block unsolicited UDP requests.
Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository.