CVE-2021-35395 – Realtek AP-Router SDK Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2021-35395
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. • https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf •
CVE-2021-32537 – Realtek High definition audio Windows driver crashed
https://notcve.org/view.php?id=CVE-2021-32537
Realtek HAD contains a driver crashed vulnerability which allows local side attackers to send a special string to the kernel driver in a user’s mode. Due to unexpected commands, the kernel driver will cause the system crashed. Realtek HAD contiene una vulnerabilidad de bloqueo del controlador que permite a los atacantes del lado local enviar una cadena especial al controlador del kernel en un modo de usuario. Debido a los comandos inesperados, el controlador del kernel hará que el sistema se bloquee • https://github.com/0vercl0k/CVE-2021-32537 http://packetstormsecurity.com/files/163498/Realtek-RTKVHD64.sys-Out-Of-Bounds-Access.html https://www.twcert.org.tw/tw/cp-132-4813-7b578-1.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2020-27302
https://notcve.org/view.php?id=CVE-2020-27302
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "memcpy" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake. Un desbordamiento del búfer de la pila en el Realtek RTL8710 (y otros dispositivos basados en Ameba) puede conllevar a una ejecución de código remota por medio de la función "memcpy", cuando un atacante en el rango de la Wi-Fi envía un valor "Encrypted GTK" diseñado como parte del 4-way-handshake de WPA2 • https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day • CWE-787: Out-of-bounds Write •
CVE-2020-27301
https://notcve.org/view.php?id=CVE-2020-27301
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake. Un desbordamiento del búfer de la pila en Realtek RTL8710 (y otros dispositivos basados en Ameba) puede conllevar a una ejecución de código remota por medio de la función "AES_UnWRAP", cuando un atacante en el alcance del Wi-Fi envía un valor "Encrypted GTK" diseñado como parte del 4-way-handshake de WPA2 • https://github.com/chertoGUN/CVE-2020-27301-hostapd https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day • CWE-787: Out-of-bounds Write •
CVE-2020-23539
https://notcve.org/view.php?id=CVE-2020-23539
An issue was discovered in Realtek rtl8723de BLE Stack <= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message. Se detectó un problema en Realtek rtl8723de BLE Stack versiones anteriores a 4.1 incluyéndola, que permite a atacantes remotos causar una Denegación de Servicio por medio del campo de intervalo al mensaje CONNECT_REQ • https://github.com/pokerfacett/MY_REQUEST/blob/df73fe140655ea44542b03ac186e6c2b47e97540/Realtek%208723ds%20BLE%20SDK%20denial%20of%20service%20attack.md • CWE-476: NULL Pointer Dereference •