Realtek SDK Vulnerabilities Exploited in Attacks Days After Disclosure

Researchers noticed that threat actors started exploiting Realtek SDK vulnerabilities shortly after their details were made public.

Realtek informed customers about the flaws and the availability of patches in an advisory published on August 15. The next day, details were disclosed by firmware security company IoT Inspector, whose researchers discovered the vulnerabilities.

SAM Seamless Network, a company that specializes in home network security, noticed on August 18 that hackers had already started exploiting some of the vulnerabilities in the wild.

IoT Inspector researchers identified more than a dozen vulnerabilities in the SDKs provided by Realtek to companies that use its RTL8xxx chips. Some of the security holes can be exploited by a remote, unauthenticated attacker to take complete control of a targeted device.

IoT inspector identified nearly 200 unique types of affected devices from a total of 65 different vendors, including routers, IP cameras, Wi-Fi repeaters and residential gateways from companies such as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The firm estimated that there could be as many as one million systems that are exposed to remote attacks due to these vulnerabilities.

Four CVE identifiers have been assigned to the flaws: CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395. According to SAM, CVE-2021-35395, which comprises six different bugs, has been exploited in the wild to deliver a variant of the Mirai IoT malware.

The malware appears to be a Mirai variant detailed by Palo Alto Networks in March. The cybersecurity firm warned at the time that the botnet powered by this malware had been exploiting 10 different vulnerabilities in an effort to hijack IoT devices, and noted that new exploits were sometimes added within hours after a flaw was disclosed.

Earlier this month, Juniper Networks started seeing attempts to exploit CVE-2021-20090, a vulnerability that affects at least 20 vendors that provide routers running firmware made by Arcadyan, a Taiwan-based provider of networking solutions. Attacks exploiting CVE-2021-20090 were also spotted just days after the security hole was made public, and those attacks have also been linked to the same Mirai variant.

“According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK: Netis E1+ extender, Edimax N150 and N300 Wi-Fi router, Repotec RP-WR5444 router,” SAM said in a blog post last week. “These devices are used mainly to enhance Wi-Fi reception.”

The company has made available indicators of compromise (IOCs) for the attacks it has observed.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: New ‘Gucci’ IoT Botnet Targets Europe