Exploit code has been released for a critical vulnerability affecting networking devices with Realtek’s RTL819x system on a chip (SoC), which are estimated to be in the millions.

The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.

No user interaction needed

Researchers from cybersecurity company Faraday Security in Argentina discovered the vulnerability in Realtek’s SDK for the open-source eCos operating system and disclosed the technical details last week at the DEFCON hacker conference.

The four researchers (Octavio Gianatiempo, Octavio Galland, Emilio Couto, Javier Aguinaga) credited with finding the vulnerability are computer science students at the University of Buenos Aires.

Their presentation covered the entire effort leading to finding the security issue, from picking a target to analyzing the firmware and exploiting the vulnerability, and automating the detection in other firmware images.

CVE-2022-27255 is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data.

The vulnerability is a stack-based buffer overflow in the SIP ALG function that is responsible for rewrites SDP data. 

Realtek addressed the issue in March noting that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.

The four researchers from Faraday Security have developed proof-of-concept (PoC) exploit code for CVE-2022-27255 that works on Nexxt Nebula 300 Plus routers.

They also shared a video showing that a remote attacker could compromise the device even if remote management features are turned off.

The researchers note that CVE-2022-27255 is a zero-click vulnerability, meaning that exploitation is silent and requires no interaction from the user.

An attacker exploiting this vulnerability would only need the external IP address of the vulnerable device.

Few lines of defense

Johannes Ullrich, Dean of Research at SANS says that a remote attacker could exploit the vulnerability for the following actions:

  • crash the device
  • execute arbitrary code
  • establish backdoors for persistence
  • reroute network traffic
  • intercept network traffic

Ullrich warns that if an exploit for CVE-2022-27255 turns into a worm, it could spread over the internet in minutes.

Despite a patch being available since March, Ullrich warns that the vulnerability affects "many (millions) of devices" and that a fix is unlikely to propagate to all devices.

This is because multiple vendors use the vulnerable Realtek SDK for equipment based on RTL819x SoCs and many of them have yet to release a firmware update.

It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the SoC was present in products from more than 60 vendors. Among them ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel.

The researcher says that:

  • Devices using firmware built around the Realtek eCOS SDK before March 2022 are vulnerable
  • You are vulnerable even if you do not expose any admin interface functionality
  • Attackers may use a single UDP packet to an arbitrary port to exploit the vulnerability
  • This vulnerability will likely affect routers the most, but some IoT devices built around Realtek's SDK may also be affected

Ulrich created a Snort rule here that can detect the PoC exploit. It looks for "INVITE" messages with the string "m=audio" and triggers when there are more than 128 bytes (size of the allocated buffer by the Realtek SDK) and if none of them is a carriage return.

It is important to note that not all products using RTL819x are vulnerable. Faraday Security researchers shared a list with products powered by Realtek's chip and believed to be vulnerable.

Zyxel NBG6615 is on the list because it runs on a vulnerable chip. However, it is not impacted by the vulnerability.

Zyxel reached out to BleepingComputer after publishing this article to explain that the firmware in the NBG6615 router does not initiate the ALG comment function, and, it is not affected by CVE-2022-27255.

Users should check if their networking equipment is vulnerable and install a firmware update from the vendor released after March, if available. Other than this, organizations could try to block unsolicited UDP requests.

Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository.

Update: Zyxel contacted BleepingComputer after publishing this article to share that CVE-2022-27255 impacts none of its products and to clarify that while its NBG6615 runs on Realtek, the firmware does not use the vulnerable function.

Related Articles:

CISA tags Microsoft SharePoint RCE bug as actively exploited

Exploit released for Fortinet RCE bug used in attacks, patch now

Fortinet warns of critical RCE bug in endpoint management software

Exploit available for new critical TeamCity auth bypass bug, patch now

Hackers exploit critical RCE flaw in Bricks WordPress site builder