WARNING: COMMONLY USED CHIPSET (REALTEK JUNGLE SDK) IN IOT DEVICES AND ROUTERS ACTIVELY EXPLOITED.
CVE-2021-35394 CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Bronnen
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
Risico’s
The Realtek Jungle SDK is commonly used in IoT devices, including modems and routers. A list of identified devices is available here: https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
Attention: this list should not be interpreted as an exhaustive list!
CVE-2021-34394 affects UDPServer in Realtek Jungle SDK version 2.0 and later-Realtek Jungle SDK version 3.4.14B.
Remote unauthenticated attackers could leverage this vulnerability to achieve arbitrary command execution, leading to devices being taken over.
CVE-2021-34394 is easily exploitable and could have a high impact on the confidentiality, integrity, and availability of the affected devices.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. Organisations should investigate if they suspect an intrusion attempt.
Palo Alto has a list of Indicators of compromise (IOCs) available to check if the Proof of concept (PoC) is used against your network infrastructure: https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
Beschrijving
Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
The vulnerability is now actively exploited to install malware.
Aanbevolen acties
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
Update vulnerable devices as soon as possible. A list of identified devices is available here: https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
Upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion. Organizations that identify any activity related to CVE-2021-34394 within their networks should act immediately.
Palo Alto has a list of Indicators of compromise (IOCs) available to check if the Proof of concept (PoC) is used against your network infrastructure: https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
Referenties
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/