Exploit for Realtek chip found in millions of network devices

Home / Threat Intelligence bulletins / Exploit for Realtek chip found in millions of network devices

Overview

The flaw that can be found under CVE-2022-27255 allows for a threat actor to attack/exploit Realtek’s RTL819x system on a chip (SoC). This CVE enables malicious actors to remotely execute code without any authentication by using crafted SIP packets within SDP data.

This vulnerability was discovered by four researchers (Octavio Gianatiempo, Octavio Galland, Emilio Couto and Javier Aguinaga) who are computer science students at the University of Buenos Aires. They announced their discovery at the DefCon hacker conference.

Impact

The disclosed vulnerabilities and exploit code is estimated to affect millions of network devices. Successful exploitation of this vulnerability could allow for a malicious actor to perform the following actions:

Crash the device
Execute arbitrary code
Establish backdoors for persistence
Re-route network traffic
Intercept network traffic
Trigger a stack-based buffer overflow.

Vulnerability Detection

The security research team has also provided Python scripts which can assist in the detection of vulnerable devices.

A snort has been created and provided by Johannes Ullrich at the SANs institute.

Affected Products

This vulnerability affects all networking devices which utilise Realtek’s RTL819x SoC.

Containment, Mitigations & Remediations

The patch has been available since March. However, Johannes Ullrich, Dean of Research at SANS, warns that the fix is unlikely to propagate to all devices.

Block unsolicited UDP requests at the perimeter (inbound).

Indicators of Compromise

There are currently no indicators of compromise which have been released as part of this exploit.

Threat Landscape

This proof of concept affects Realtek products, which are currently estimated to be in the millions, and the customers associated with them as well. Based on the severity of this flaw, this would cause a lot of damage and financial costs for businesses using these products.

Researchers have noted this CVE is a zero-click vulnerability, meaning that it is silent and doesn’t require user interaction. After the exploiting the flaw, the malicious actors would only need an external IP address of the affected device. This vulnerability has not been exploited in the wild yet.