Critical vulnerability in RealTek SDK breaks routers’ security

A critical vulnerability in version 1.3 of the RealTek software development kit (SDK) has opened hole in D-Link and Trendnet Wi-Fi routers – and possibly many others, as well – which can be exploited by attackers to execute arbitrary code on the devices.

“The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call,” the Zero Day Initiative explained in a security advisory. “An attacker could leverage this vulnerability to execute code with root privileges. Authentication is not required to exploit this vulnerability.”

Unearthed and submitted to the ZDI by researcher Ricky “HeadlessZeke” Lawshae in August 2014, the flaw remains unpatched as RealTek failed to respond to their repeated emails requesting contact, so the initiative went public with it.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” they noted. “Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

“I’m glad to see that more researchers are paying attention to these consumer routers (usually referred to as SOHO routers) and cable modems (usually referred to as DOCSIS modems). The problems described aren’t unique to D-Link – all the major vendors have had security issues disclosed on them publicly for years, and the patch management of these devices are usually nonexistent,” commented Tod Beardsley, Security Engineering Manager at Rapid7.

“The problem is that these devices exist in people’s homes and offices, and most of the time, they work; they shove packets to and from the Internet around, they have some blinky lights, and that’s about all most people know about them. They’re also typically very hardy, since there are no moving parts, nor do they move around a lot or get dropped, unlike people’s laptops and smartphones. So, they live on for years, and never see patches.”

“Because the hardware can run reliably for years, and security issues rarely interrupt service, and there is rarely, if ever, any sort of automated patching process, vulnerabilities on these devices are extremely long lived. And, like the Android ecosystem, the DOCSIS modem and SOHO router tends to be very fractured, so no one company takes responsibility for ensuring patch management actually happens,” he explained.

“There are some open source projects, such as OpenWRT and AdvancedTomato which offer much more frequent updates to the firmware that drives several versions of common, off-the-shelf router/modem hardware, but the onus is on the user to ensure that these are up to date. So, there /are/ alternatives to the stock firmware offered by D-Link, Linksys, Buffalo, and other vendors, but there is definitely a maintenance cost associated with them, not the least of which is warranty violation.”

Don't miss