Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.

The low-power Wi-Fi module is designed for use in embedded devices, and is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security.

The RTL8195A chip supports WEP, WPA and WPA2 authentication modes, and Vdoo discovered that the WPA2 handshake mechanism is prone to stack overflow and out-of-bounds read bugs.

Tracked as CVE-2020-9395, the most severe of the flaws is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. The vulnerability can be exploited by an attacker in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK).

Two other vulnerabilities (an out-of-bounds read and a stack-based buffer overflow) could also be exploited without knowing the network security key (the PMK, which is derived from the PSK), to execute code remotely or cause a denial of service (DoS) condition.

All of the remaining three vulnerabilities are stack-based buffer overflow issues that could lead to remote code execution, but exploitation requires for the attacker to know the network’s PSK. Thus, the use of a strong, private WPA2 passphrase should prevent exploitation of these bugs.

Realtek has published an advisory for CVE-2020-9395 only, revealing that RTL8711AM, RTL8711AF, and RTL8710AF modules are also vulnerable.

“An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2’s 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer,” Realtek explains.

According to Vdoo’s researchers, because no mitigating factors are in place, exploitation of this vulnerability is trivial. Exploitation is possible regardless of whether the victim is the client or the access point.

Vdoo says all of these vulnerabilities have been addressed in the latest version of Ameba Arduino (2.0.8 and above). Updated versions of the Ameba SDK are available on Realtek’s website.

Device versions built after March 3, 2020, are patched against CVE-2020-9395, while versions built after April 21, 2020 are completely patched against all issues.

Related: DLL Hijacking Vulnerability Found in Realtek HD Audio Driver

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Related: Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware