Critical Flaws in Realtek SDK Affect Hundreds of Thousands of IoT Devices

Researchers have discovered multiple severe vulnerabilities in three software development kits (SDKs) supplied by Realtek and used by at least 65 vendors of Internet-enabled devices. The flaws can let unauthenticated attackers fully compromise a target device and execute arbitrary code with the highest level of privilege.

During firmware analysis, researchers at IoT Inspector identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP (management web interface), and a custom network service – in binaries packaged as part of three distinct SDKs developed by Realtek and provided to IoT gear vendors and manufacturers.

“By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege,” the researchers note.

Over the course of the research, the team identified at least 65 affected vendors with close to 200 unique fingerprints. The flaws cover a wide spectrum of use cases, from residential gateways, travel routers, Wi-Fi repeaters and IP cameras to smart lightning gateways and even connected toys.

Four key flaws are highlighted in the research:

  • CVE-2021-35392 (CVSS score: 8.1) – Heap buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe crafting of SSDP NOTIFY messages
  • CVE-2021-35393 (CVSS score: 8.1) – Stack buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header
  • CVE-2021-35394 (CVSS score: 9.8) – Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in ‘UDPServer’ MP tool
  • CVE-2021-35395 (CVSS score: 9.8) – Multiple buffer overflow vulnerabilities in HTTP web server ‘boa’ due to unsafe copies of some overly long parameters.

Realtek themselves have published an advisory drawing attention to the vulnerabilities, warning of their high-risk nature and offering the afferent patches to clients.

“We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,” the research team says.

The research team at IoT Inspector blames the flaws on insufficient secure software development practices, in particular lack of security testing and code review. They also note that other security researchers and pen-testers have previously identified flaws in devices that rely on the Realtek SDK, but they didn’t link these issues to Realtek directly.

And vendors who received reports of these vulnerabilities have reportedly fixed them in their own branch but kept Realtek out of the loop, leaving others exposed. Some of the flaws are more than a decade old, the researchers say.