How can we help?
The flaw that can be found under CVE-2022-27255 allows for a threat actor to attack/exploit Realtek’s RTL819x system on a chip (SoC). This CVE enables malicious actors to remotely execute code without any authentication by using crafted SIP packets within SDP data.
This vulnerability was discovered by four researchers (Octavio Gianatiempo, Octavio Galland, Emilio Couto and Javier Aguinaga) who are computer science students at the University of Buenos Aires. They announced their discovery at the DefCon hacker conference.
The disclosed vulnerabilities and exploit code is estimated to affect millions of network devices. Successful exploitation of this vulnerability could allow for a malicious actor to perform the following actions:
- Crash the device
- Execute arbitrary code
- Establish backdoors for persistence
- Re-route network traffic
- Intercept network traffic
- Trigger a stack-based buffer overflow.
The security research team has also provided Python scripts which can assist in the detection of vulnerable devices.
A snort has been created and provided by Johannes Ullrich at the SANs institute.
This vulnerability affects all networking devices which utilise Realtek’s RTL819x SoC.
Containment, Mitigations & Remediations
The patch has been available since March. However, Johannes Ullrich, Dean of Research at SANS, warns that the fix is unlikely to propagate to all devices.
Block unsolicited UDP requests at the perimeter (inbound).
Indicators of Compromise
There are currently no indicators of compromise which have been released as part of this exploit.
This proof of concept affects Realtek products, which are currently estimated to be in the millions, and the customers associated with them as well. Based on the severity of this flaw, this would cause a lot of damage and financial costs for businesses using these products.
Researchers have noted this CVE is a zero-click vulnerability, meaning that it is silent and doesn’t require user interaction. After the exploiting the flaw, the malicious actors would only need an external IP address of the affected device. This vulnerability has not been exploited in the wild yet.
T1021 – Remote Services
T1190 – Exploit Public-Facing Application