There are several remotely exploitable vulnerabilities in a Realtek SDK that is used in IoT devices sold by a long list of manufacturers that can enable an attacker to gain complete control over an affected device.
The flaws affect many popular devices such as IP cameras, routers, WiFi repeaters, and others from manufacturers including Buffalo, ASUS, Belkin, D-Link, LG, Logitec, and Realtek itself. Some of the vulnerabilities have been present in the Realtek Jungle SDK for many years, and third-party binaries built by manufacturers based on the vulnerable SDK inherited those bugs. The most serious of the vulnerabilities are a set of bugs that affect the management interface that is used to set up a new devices. Those flaws allow command injection and enable an attacker to take control of the target device.
Realtek has released updated SDKs to address the problem, but these vulnerabilities may have a long tail. Many of the types of devices that are affected by the bugs are difficult to update and owners often don’t know when updates are available. Device manufacturers often don’t prioritize security updates for IoT devices, either, as many of those devices are designed to be somewhat disposable.
“On the supplier’s end, insufficient secure software development practices, in particular lack of security testing and code review, resulted in dozens of critical security issues to remain untouched in Realtek’s codebase for more than a decade (from 2.x branch through “Jungle“ SDK to “Luna” SDK),” researchers from IoT Inspector, who discovered the flaws, said in a detailed explanation of the findings.
“On the product vendor’s end, we see manufacturers with access to the Realtek source code (a requirement to build Realtek SDK binaries for their own platform) who missed to sufficiently validate their supply chain, left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers – leaving them vulnerable to attacks.”
The vulnerabilities affect the Realtek SDK v2.x, Realtek “Jungle” SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek “Luna” SDK up to version 1.3.2.
The bugs include a stack buffer overflow via UPnP in the WiFi Simple Config utility, a heal buffer overflow in that utility via SSDP, a command injection bug in the MP Daemon diagnostic tool, and several flaws in the web interface.