【安全通报】Realtek SDK 多个未授权严重漏洞（CVE-2021-35394&CVE-2021-35395）

fmbd 1559天前

近日，IOT INSPECTOR 公开了 Realtek SDK 多个高危漏洞，并公布了其漏洞细节。未经身份验证的攻击者可以远程利用这些漏洞完全破坏目标设备并以最高级别的权限执行任意代码。由于大多数嵌入式设备使用了 Realtek SDK，至少有 65 家供应商会受到严重漏洞的影响。

漏洞描述

Realtek SDK是瑞昱（Realtek）公司的一套SDK开发包。

CVE-2021-35394

由于对从客户端收到的命令的合法性检测不足，‘UDPServer’ MP 工具受到多个缓冲区溢出漏洞和任意命令注入漏洞的影响。
该漏洞CVSS3评分：9.8，危害等级：严重

CVE-2021-35395

由于某些超长参数的不安全副本以表单方式提交，HTTP Web 服务器‘boa’（go-ahead 已过时）容易受到多缓冲区溢出的影响。
该漏洞CVSS3评分：9.8，危害等级：严重

CVE-2021-35392/CVE-2021-35393

由于 UPnP SUBSCRIBE/UNSUBSCRIBE 回调标头的不安全解析和从收到的 M-SEARCH 消息 ST 标头中不安全地制作 SSDP NOTIFY 消息，实现 UPnP 和 SSDP 协议的“WiFi 简单配置”服务器 (wscd) 容易受到堆栈缓冲区溢出 (CVE-2021-35393) 和堆缓冲区溢出影响（ CVE-2021-35392）。
该漏洞CVSS3评分：8.1，危害等级：高危

CVE 编号

CVE-2021-35392
CVE-2021-35393
CVE-2021-35394
CVE-2021-35395

影响范围

rtl819x-SDK-v3.2.x 系列
rtl819x-SDK-v3.4.x 系列
rtl819x-SDK-v3.4T 系列
rtl819x-SDK-v3.4T-CT 系列
rtl819x-eCos-v1.5.x 系列

已知受影响的厂商名单如下：

厂商	受影响的设备
A-Link Europe Ltd	A-Link WNAP WNAP(b)
ARRIS Group, Inc	VAP4402_CALA
Airlive Corp.	WN-250R WN-350R
Abocom System Inc.	Wireless Router ?
AIgital	Wifi Range Extenders
Amped Wireless	AP20000G
Askey	AP5100W
ASUSTek Computer Inc.	RT-Nxx models, WL330-NUL Wireless WPS Router RT-N10E Wireless WPS Router RT-N10LX Wireless WPS Router RT-N12E Wireless WPS Router RT-N12LX
BEST ONE TECHNOLOGY CO., LTD.	AP-BNC-800
Beeline	Smart Box v1
Belkin	F9K1015 AC1200DB Wireless Router F9K1113 v4 AC1200FE Wireless Router F9K1123 AC750 Wireless Router F9K1116 N300WRX N600DB
Buffalo Inc.	WEX-1166DHP2 WEX-1166DHPS WEX-300HPS WEX-733DHPS WMR-433 WSR-1166DHP3 WSR-1166DHP4 WSR-1166DHPL WSR-1166DHPL2
Calix Inc.	804Mesh
China Mobile Communication Corp.	AN1202L
Compal Broadband Networks, INC.	CH66xx cable modems line.
D-Link	DIR-XXX models ba sed on rlx-linux DAP-XXX models ba sed on rlx-linux DIR-300 DIR-501 DIR-600L DIR-605C DIR-605L DIR-615 DIR-618 DIR-618b DIR-619 DIR-619L DIR-809 DIR-813 DIR-815 DIR-820L DIR-825 DIR-825AC DIR-825ACG1 DIR-842 DAP-1155 DAP-1155 A1 DAP-1360 C1 DAP-1360 B1 DSL-2640U DSL-2750U DSL_2640U VoIP Router DVG-2102S VoIP Router DVG-5004S VoIP Router DVG-N5402GF VoIP Router DVG-N5402SP VoIP Router DVG-N5412SP Wireless VoIP Device DVG-N5402SP
DASAN Networks	H150N
Davolink Inc.	DVW2700 1 DVW2700L 1
Edge-core	VoIP Router ECG4510-05E-R01
Edimax	RE-7438 BR6478N Wireless Router BR-6428nS N150 Wireless Router BR6228GNS N300 Wireless Router BR6428NS BR-6228nS/nC
Edison	unknown
EnGenius Technologies, Inc.	11N Wireless Router Wireless AP Router
ELECOM Co.,LTD.	WRC-1467GHBK WRC-1900GHBK WRC-300FEBK-A WRC-733FEBK-A
Esson Technology Inc.	Wifi Module ESM8196 – https://fccid.io/RKOESM8196 (therefore any device using this wifi module)
EZ-NET Ubiquitous Corp.	NEXT-7004N
FIDA	PRN3005L D5
Hama	unknown
Hawking Technologies, Inc.	HAWNR3
MT-Link	MT-WR600N
Huawei	HG532e, HGxxx models
I-O DATA DEVICE, INC.	WN-AC1167R WN-G300GR
iCotera	i6800
IGD	1T1R
LG International	Axler Router LGI-R104N Axler Router LGI-R104T Axler Router LGI-X501 Axler Router LGI-X502 Axler Router LGI-X503 Axler Router LGI-X601 Axler Router LGI-X602 Axler Router RT-DSE
LINK-NET TECHNOLOGY CO., LTD.	LW-N664R2 LW-U31 LW-U700
Logitec	BR6428GNS LAN-W300N3L
MMC Technology	MM01-005H MM02-005H
MT-Link	MT-WR730N MT-WR760N MT-WR761N MT-WR761N+ MT-WR860N
NetComm Wireless	NF15ACV
Netis	WF2411 WF2411I WF2411R WF2419 WF2419I WF2419R WF2681
Netgear	N300R
Nexxt Solutions	AEIEL304A1 AEIEL304U2 ARNEL304U1
Observa Telecom	RTA01
Occtel	VoIP Router ODC201AC VoIP Router OGC200W VoIP Router ONC200W VoIP Router SP300-DS VoIP Router SP5220SO VoIP Router SP5220SP
Omega Technology	Wireless N Router O31 OWLR151U Wireless N Router O70 OWLR307U
PATECH	Axler RT-TSE Axler Router R104 Axler Router R3 Axler Router X503 Axler Router X603 LotteMart Router 104L LotteMart Router 502L LotteMart Router 503L Router P104S Router P501
PLANEX COMMUNICATIONS INC. Planex Communications Corp.	MZK-MF300N MZK-MR150 MZK-W300NH3 MZK-W300NR MZK-WNHR
PLANET Technology	VIP-281SW
Realtek	RTL8196C EV-2009-02-06 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20 RTL8186 EV-2006-07-27 RTL8671 EV-2006-07-27 RTL8671 EV-2010-09-20 RTL8xxx EV-2006-07-27 RTL8xxx EV-2009-02-06 RTL8xxx EV-2010-09-20
Revogi Systems
Sitecom Europe BV	Sitecom Wireless Gigabit Router WLR-4001 Sitecom Wireless Router 150N X1 150N Sitecom Wireless Router 300N X2 300N Sitecom Wireless Router 300N X3 300N
Skystation	CWR-GN150S
Sercomm Corp.	Telmex Infinitum
Shaghal Ltd.	ERACN300
Shenzhen Yichen (JCG) Technology Development Co., Ltd.	JYR-N490
Skyworth Digital Technology.	Mesh Router
Smartlink	unknown
TCL Communication	unknown
Technicolor	TD5137
Telewell	TW-EAV510
Tenda	AC6, AC10, W6, W9, i21
Totolink	A300R
TRENDnet, Inc. TRENDnet Technology, Corp.	TEW-651BR TEW-637AP TEW-638APB TEW-831DR
UPVEL	UR-315BN
ZTE	MF253V, MF910
Zyxel	P-330W X150N NBG-2105 NBG-416N AP Router NBG-418N AP Router WAP6804

修复建议

官方已发布安全补丁：

CVE-2021-35392/CVE-2021-35393/CVE-2021-35394
20210622_sdk_3.2.3_wsc_binary_and_mp_daemon_patch.tar.gz
20210622_sdk_3.4.11E_wsc_binary_and_mp_daemon_patch.tar.gz
20210705_sdk-v3.4t_pre5_wsc_binary_and_mp_daemon_patch.tar.gz
20210622_sdk-v3.4t_pre7_wsc-upnp-mp.tgz
20210701_ecosV1.5.3_patch_for_fixing_vulnerabiits.tar.gz

CVE-2021-35395
20210608_release_v3.2.3_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210608_release_v3.4.11_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210608_release_v3.4T-CT_patch_for_fix_buffer_overflow_of_boa.tar.gz
20210701_ecosV1.5.3_patch_for_fixing_vulnerabiits.tar.gz