#VU16534 Improper input validation in Realtek SDK - CVE-2014-8361
Vulnerability identifier: #VU16534
Vulnerability risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Realtek SDK
Universal components / Libraries /
Software for developers
Vendor: Realtek
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists within the miniigd SOAP service due to a failure to sanitize user data before executing a system call when handling malicious requests. A remote attacker can supply specially crafted NewInternalClient requests and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: the vulnerability is being exploited by various attachers to deliver several Mirai variants (e.g., Satori, JenX, etc.).
Mitigation
Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
Vulnerable software versions
Realtek SDK: All versions
External links
https://www.zerodayinitiative.com/advisories/ZDI-15-155/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
