Realtek SDK security flaw found in SOHO routers

News by Doug Drinkwater

Several models of home and small office routers, which use an SDK from Realtek, are vulnerable to an exploit which would allow attackers to run arbitrary code without authentication.

According to the Zero Day Initiative (ZDI), which published details of the vulnerability, Realtek has not issued a patch or update despite repeated attempts to contact the company.

The existence of the vulnerability was being revealed without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

ZDI said it contacted Realtek four times, the first time being in August 2014. A final contact attempt was made six months ago at which time it informed Realtek of its intention to zero-day the vulnerability.

According to security researcher ‘HeadlessZeke', who discovered the vulnerability, he has successfully reproduced the vulnerability in Trendnet and D-Link routers but the Realtek SDK is most likely present in other routers.

Rapid7's security engineering manager, Tod Beardsley, said he was pleased to see researchers paying attention to home and small office routers and cable modems.

“The problems described aren't unique to D-Link – all the major vendors have had security issues disclosed on them publicly for years,” he said.

He added that routers tend to suffer from lack of patching. “The problem is that these devices exist in people's homes and offices, and most of the time, they work; they shove packets to and from the Internet around, they have some blinky lights, and that's about all most people know about them.”

The reliability and robustness of routers – they rarely break or even need to be rebooted – means they rarely get any attention.

“Because… there is rarely, if ever, any sort of automated patching process, vulnerabilities on these devices are extremely long lived. And, like the Android ecosystem, the DOCSIS modem and SOHO router tends to be very fractured, so no one company takes responsibility for ensuring patch management actually happens,” he said.

ZDI said the vulnerability lies in the handling of NewInternalClient requests. Failure to sanitise user data before executing a system call would allow an attacker to execute code without privileges.

In the absence of a patch and given the nature of the vulnerability, ZDI said, “The only salient mitigation strategy is to restrict interaction with the service to trusted machines.”

Interaction with the Realtek SDK should be limited to essential clients and servers only which can most easily be accomplished with firewall rules and whitelisting.

Beardsley said there are open source projects such as OpenWRT and AdvancedTomato which offer more frequent updates to the firmware in these devices, but he added, “The onus is on the user to ensure that these are up-to-date.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews