Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395)

Threat actors are attempting to exploit CVE-2021-35395, a group of vulnerabilities in the web interface of the Realtek SDK, to spread Mirai malware to vulnerable IoT devices.

A recently revealed flaw

A week ago, IoT Inspector researchers released details about four CVE-numbered flaws (CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, and CVE-2021-35395) affecting the Realtek SDK, which comes with a specific system on a chip (SoC) manufactured by Taiwanese semiconductor company Realtek.

The SoC in question – the Realtek RTL819xD chipset – is found in many embedded devices in the IoT space.

“We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the Internet,” the researchers shared.

“Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, Wi-Fi repeaters, IP cameras to smart lightning gateways or even connected toys.”

Realtek has since patched the vulnerabilities, but it will take a while for manufacturers who use their chipset to port and make available patches to their customers, and likely even longer for the customers to implement the provided patches / security updates.

CVE-2021-35395 exploitation attempts

CVE-2021-35395 exploitation attempts have been flagged by Israeli network security company SAM Seamless Network, which detected them via their home security solution.

“Specifically, we noticed exploit attempts to ‘formWsc’ and ‘formSysCmd’ web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks,” Omri Mallis, the company’s Chief Product Archited, shared.

He also noted that a similar incident was reported on August 6th by Juniper Networks – the company detected a newly discovered vulnerability affecting Arcadyan-based routers (CVE-2021–20090) getting exploited in the wild only two days after publication, and the attackers’ goal was to spread the same Mirai variant.

“The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents,” Mallis added.

“This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly. These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.”

SAM’s researchers have analyzed anonymously collected network data from more than 2 million home and business networks, and found that a Wi-Fi extender by Netic and two routers by Edimax and Repotec are the the most common devices with the Realtek SDK.

Users of IoT devices would do well to check the (incomplete) list of affected manufacturers and device models to see whether their devices are vulnerable, and then wheter the manufacturers have already provided a patch. If they haven’t, they should urge them to do it quickly.