Huge Vulnerability on Realtek’s RTL819x SoC, Which Probably Includes You
SIP-ping On An Insecure Pipe
Four researchers from Faraday Security in Argentina revealed a flaw in Realtek’s RTL819x SoC at DEFCON which is found in everything from routers and access points to signal repeaters. The list of vendors that use the RTL819x is long, with more than 60 companies including ASUSTek, Belkin, D-Link, TRENDnet, and Zyxel. The good news is that a patch was released by Realtek back in March for their rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x and any product manufactured after March 2022 is already secured from this flaw.
The bad news is pretty dismal for history has shown that IoT vendors do not always bother to release patches for vulnerabilities so there is a good chance that the affected devices are still vulnerable. The 9.8 out of 10 vulnerability is a doozy unfortunately. This particular vulnerability requires no input from the user of the device, it can be triggered remotely without their knowledge. Even better, this exploit works even if you disabled remote management on the device!
Once in, an attacker can crash the device, execute arbitrary code, establish backdoors as well as being able to reroute and intercept any network traffic that passes through the device. Bleeping Computer linked to a Snort rule created by one of the researchers who discovered the flaw in their article, which you can use to see if you are infected.
CVE-2022-27255 is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data.