近日,IOT INSPECTOR 公开了 Realtek SDK 多个高危漏洞,并公布了其漏洞细节。未经身份验证的攻击者可以远程利用这些漏洞 完全破坏目标设备并以最高级别的权限执行任意代码。由于大多数嵌入式设备使用了 Realtek SDK,至少有 65 家供应商会受到严重漏洞的影响。
漏洞描述
Realtek SDK是瑞昱(Realtek)公司的一套SDK开发包。
CVE-2021-35394
由于对从客户端收到的命令的合法性检测不足,‘UDPServer’ MP 工具受到多个缓冲区溢出漏洞和任意命令注入漏洞的影响。
该漏洞CVSS3评分:9.8,危害等级:严重
CVE-2021-35395
由于某些超长参数的不安全副本以表单方式提交,HTTP Web 服务器‘boa’(go-ahead 已过时)容易受到多缓冲区溢出的影响。
该漏洞CVSS3评分:9.8,危害等级:严重
CVE-2021-35392/CVE-2021-35393
由于 UPnP SUBSCRIBE/UNSUBSCRIBE 回调标头的不安全解析 和 从收到的 M-SEARCH 消息 ST 标头中不安全地制作 SSDP NOTIFY 消息,实现 UPnP 和 SSDP 协议的“WiFi 简单配置”服务器 (wscd) 容易受到堆栈缓冲区溢出 (CVE-2021-35393) 和堆缓冲区溢出影响( CVE-2021-35392)。
该漏洞CVSS3评分:8.1,危害等级:高危
CVE 编号
CVE-2021-35392
CVE-2021-35393
CVE-2021-35394
CVE-2021-35395影响范围
rtl819x-SDK-v3.2.x 系列
rtl819x-SDK-v3.4.x 系列
rtl819x-SDK-v3.4T 系列
rtl819x-SDK-v3.4T-CT 系列
rtl819x-eCos-v1.5.x 系列已知受影响的厂商名单如下:
| 厂商 |
受影响的设备 |
|---|---|
| A-Link Europe Ltd | A-Link WNAP WNAP(b) |
| ARRIS Group, Inc | VAP4402_CALA |
| Airlive Corp. | WN-250R WN-350R |
| Abocom System Inc. | Wireless Router ? |
| AIgital | Wifi Range Extenders |
| Amped Wireless | AP20000G |
| Askey | AP5100W |
| ASUSTek Computer Inc. | RT-Nxx models, WL330-NUL Wireless WPS Router RT-N10E Wireless WPS Router RT-N10LX Wireless WPS Router RT-N12E Wireless WPS Router RT-N12LX |
| BEST ONE TECHNOLOGY CO., LTD. | AP-BNC-800 |
| Beeline | Smart Box v1 |
| Belkin | F9K1015 AC1200DB Wireless Router F9K1113 v4 AC1200FE Wireless Router F9K1123 AC750 Wireless Router F9K1116 N300WRX N600DB |
| Buffalo Inc. | WEX-1166DHP2 WEX-1166DHPS WEX-300HPS WEX-733DHPS WMR-433 WSR-1166DHP3 WSR-1166DHP4 WSR-1166DHPL WSR-1166DHPL2 |
| Calix Inc. | 804Mesh |
| China Mobile Communication Corp. | AN1202L |
| Compal Broadband Networks, INC. | CH66xx cable modems line. |
| D-Link | DIR-XXX models ba sed on rlx-linux DAP-XXX models ba sed on rlx-linux DIR-300 DIR-501 DIR-600L DIR-605C DIR-605L DIR-615 DIR-618 DIR-618b DIR-619 DIR-619L DIR-809 DIR-813 DIR-815 DIR-820L DIR-825 DIR-825AC DIR-825ACG1 DIR-842 DAP-1155 DAP-1155 A1 DAP-1360 C1 DAP-1360 B1 DSL-2640U DSL-2750U DSL_2640U VoIP Router DVG-2102S VoIP Router DVG-5004S VoIP Router DVG-N5402GF VoIP Router DVG-N5402SP VoIP Router DVG-N5412SP Wireless VoIP Device DVG-N5402SP |
| DASAN Networks | H150N |
| Davolink Inc. | DVW2700 1 DVW2700L 1 |
| Edge-core | VoIP Router ECG4510-05E-R01 |
| Edimax | RE-7438 BR6478N Wireless Router BR-6428nS N150 Wireless Router BR6228GNS N300 Wireless Router BR6428NS BR-6228nS/nC |
| Edison | unknown |
| EnGenius Technologies, Inc. | 11N Wireless Router Wireless AP Router |
| ELECOM Co.,LTD. | WRC-1467GHBK WRC-1900GHBK WRC-300FEBK-A WRC-733FEBK-A |
| Esson Technology Inc. | Wifi Module ESM8196 – https://fccid.io/RKOESM8196 (therefore any device using this wifi module) |
| EZ-NET Ubiquitous Corp. | NEXT-7004N |
| FIDA | PRN3005L D5 |
| Hama | unknown |
| Hawking Technologies, Inc. | HAWNR3 |
| MT-Link | MT-WR600N |
| Huawei | HG532e, HGxxx models |
| I-O DATA DEVICE, INC. | WN-AC1167R WN-G300GR |
| iCotera | i6800 |
| IGD | 1T1R |
| LG International | Axler Router LGI-R104N Axler Router LGI-R104T Axler Router LGI-X501 Axler Router LGI-X502 Axler Router LGI-X503 Axler Router LGI-X601 Axler Router LGI-X602 Axler Router RT-DSE |
| LINK-NET TECHNOLOGY CO., LTD. | LW-N664R2 LW-U31 LW-U700 |
| Logitec | BR6428GNS LAN-W300N3L |
| MMC Technology | MM01-005H MM02-005H |
| MT-Link | MT-WR730N MT-WR760N MT-WR761N MT-WR761N+ MT-WR860N |
| NetComm Wireless | NF15ACV |
| Netis | WF2411 WF2411I WF2411R WF2419 WF2419I WF2419R WF2681 |
| Netgear | N300R |
| Nexxt Solutions | AEIEL304A1 AEIEL304U2 ARNEL304U1 |
| Observa Telecom | RTA01 |
| Occtel | VoIP Router ODC201AC VoIP Router OGC200W VoIP Router ONC200W VoIP Router SP300-DS VoIP Router SP5220SO VoIP Router SP5220SP |
| Omega Technology | Wireless N Router O31 OWLR151U Wireless N Router O70 OWLR307U |
| PATECH | Axler RT-TSE Axler Router R104 Axler Router R3 Axler Router X503 Axler Router X603 LotteMart Router 104L LotteMart Router 502L LotteMart Router 503L Router P104S Router P501 |
| PLANEX COMMUNICATIONS INC. Planex Communications Corp. | MZK-MF300N MZK-MR150 MZK-W300NH3 MZK-W300NR MZK-WNHR |
| PLANET Technology | VIP-281SW |
| Realtek | RTL8196C EV-2009-02-06 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20 RTL8186 EV-2006-07-27 RTL8671 EV-2006-07-27 RTL8671 EV-2010-09-20 RTL8xxx EV-2006-07-27 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20 |
| Revogi Systems | |
| Sitecom Europe BV | Sitecom Wireless Gigabit Router WLR-4001 Sitecom Wireless Router 150N X1 150N Sitecom Wireless Router 300N X2 300N Sitecom Wireless Router 300N X3 300N |
| Skystation | CWR-GN150S |
| Sercomm Corp. | Telmex Infinitum |
| Shaghal Ltd. | ERACN300 |
| Shenzhen Yichen (JCG) Technology Development Co., Ltd. | JYR-N490 |
| Skyworth Digital Technology. | Mesh Router |
| Smartlink | unknown |
| TCL Communication | unknown |
| Technicolor | TD5137 |
| Telewell | TW-EAV510 |
| Tenda | AC6, AC10, W6, W9, i21 |
| Totolink | A300R |
| TRENDnet, Inc. TRENDnet Technology, Corp. | TEW-651BR TEW-637AP TEW-638APB TEW-831DR |
| UPVEL | UR-315BN |
| ZTE | MF253V, MF910 |
| Zyxel | P-330W X150N NBG-2105 NBG-416N AP Router NBG-418N AP Router WAP6804 |
修复建议
官方已发布安全补丁:
CVE-2021-35392/CVE-2021-35393/CVE-2021-35394
20210622_sdk_3.2.3_wsc_binary_and_mp_daemon_patch.tar.gz
20210622_sdk_3.4.11E_wsc_binary_and_mp_daemon_patch.tar.gz
20210705_sdk-v3.4t_pre5_wsc_binary_and_mp_daemon_patch.tar.gz
20210622_sdk-v3.4t_pre7_wsc-upnp-mp.tgz
20210701_ecosV1.5.3_patch_for_fixing_vulnerabiits.tar.gz
CVE-2021-35395
20210608_release_v3.2.3_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210608_release_v3.4.11_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210608_release_v3.4T-CT_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210701_ecosV1.5.3_patch_for_fixing_vulnerabiits.tar.gz参考
[1] https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf
[2] https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
[3] https://mp.weixin.qq.com/s/Un6tVAMZgO3sP0cEQN0Hhg
白帽汇从事信息安全,专注于安全大数据、企业威胁情报。
公司产品:FOFA-网络空间安全搜索引擎、FOEYE-网络空间检索系统、NOSEC-安全讯息平台。
为您提供:网络空间测绘、企业资产收集、企业威胁情报、应急响应服务。