Remote code execution in Realtek SDK

1) Improper input validation

EUVDB-ID: #VU16534

Risk: Critical

CVSSv3.1: 9.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:W/RC:C]

CVE-ID: CVE-2014-8361

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists within the miniigd SOAP service due to a failure to sanitize user data before executing a system call when handling malicious requests. A remote attacker can supply specially crafted NewInternalClient requests and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Note: the vulnerability is being exploited by various attachers to deliver several Mirai variants (e.g., Satori, JenX, etc.).

Mitigation

Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

Vulnerable software versions

Realtek SDK: All versions

External links

http://www.zerodayinitiative.com/advisories/ZDI-15-155/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.