"Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks"
Security researchers at Faraday have discovered a severe vulnerability affecting the eCos SDK made by Taiwanese semiconductor company Realtek that could expose the networking devices of many vendors to remote attacks. The vulnerability tracked as CVE-2022-27255 and rated high severity has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. The researchers noted that an attack can be carried out through the WAN interface using specially crafted SIP packets. The Realtek eCos SDK is provided to companies that manufacture routers, access points, and repeaters powered by RTL819x family SoCs. The researchers noted that the SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device. Realtek informed customers about the eCos SDK vulnerability in March when it announced the availability of a patch. However, it’s up to the OEMs using the SDK to ensure that the patch is distributed to end-user devices. The researchers stated that they have identified roughly 20 vendors that use the vulnerable SDK for their products, including Tenda, Nexxt, Intelbras, and D-Link. However, there could be other impacted vendors that they have yet to identify. The researchers noted that the process of identifying affected OEM products is daunting due to the lack of visibility of their supply chain. The researchers stated that although there is no indiciation that the flaw has been exploited in the wild, there could be a significant number of devices that are exposed to attacks due to this vulnerability, so it may be tempting for malicious actors. The researchers conducted a Shodan search and identified over 60,000 vulnerable routers with their administration panel exposed. The researchers noted that the admin panel is not enabled by default, so the total number of exposed devices should be more significant.