Vulnerability identifier: #VU16534

Vulnerability risk: Critical

CVSSv3.1: 9.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:W/RC:C]

CVE-ID: CVE-2014-8361

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Realtek SDK
Universal components / Libraries / Software for developers

Vendor: Realtek

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists within the miniigd SOAP service due to a failure to sanitize user data before executing a system call when handling malicious requests. A remote attacker can supply specially crafted NewInternalClient requests and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Note: the vulnerability is being exploited by various attachers to deliver several Mirai variants (e.g., Satori, JenX, etc.).

Mitigation
Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

Vulnerable software versions

Realtek SDK: All versions

---

External links
http://www.zerodayinitiative.com/advisories/ZDI-15-155/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.