Multiple vulnerabilities in Realtek RTL8195AM, RTL8711AM, RTL8711AF and RTL8710AF devices
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2020-25857 CVE-2020-25856 CVE-2020-25855 CVE-2020-25854 CVE-2020-25853 CVE-2020-9395 |
| CWE-ID | CWE-121 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
RTL8195AM Hardware solutions / Firmware RTL8711AM Hardware solutions / Firmware RTL8711AF Hardware solutions / Firmware RTL8710AF Hardware solutions / Firmware |
| Vendor |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU50412
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-25857
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the "ClientEAPOLKeyRecvd()" function. A remote unauthenticated attacker can inject a specially crafted packet to the WPA2 handshake, trigger stack-based buffer overflow and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stack-based buffer overflow
EUVDB-ID: #VU50411
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-25856
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the "DecWPA2KeyData()" function does not validate the size parameter for an "rtl_memcpy()" operation. A remote unauthenticated attacker can inject a specially crafted packet to the WPA2 handshake, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stack-based buffer overflow
EUVDB-ID: #VU50408
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-25855
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "AES_UnWRAP()" function. A remote unauthenticated attacker can inject a specially crafted packet to the WPA2 handshake, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stack-based buffer overflow
EUVDB-ID: #VU50407
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-25854
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "DecWPA2KeyData" function. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU50406
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-25853
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the "CheckMic()" function. A remote attacker can trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Stack-based buffer overflow
EUVDB-ID: #VU50405
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9395
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing a malformed EAPOL-Key packet with a long keydata buffer. A remote authenticated attacker on the local network can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsRTL8195AM: before 2.0.8
RTL8711AM: before 2.0.8
RTL8711AF: before 2.0.8
RTL8710AF: before 2.0.8
External linkshttp://github.com/ambiot/amb1_arduino/commit/dcea55cf9775a0166805b3db845b237ecd5e74ea#diff-d06e7a87f34cc464a56799a419033014
http://github.com/ambiot/amb1_sdk/commit/bc5173d5d4faf6829074b0f1e1b242c12b7777a3#diff-700c216fb376666eaeda0c892e8bdc09
http://www.amebaiot.com/en/security_bulletin/
http://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
