U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Flaws in Realtek RTL8170C Wi-Fi module allow hijacking wireless communications

Researchers found multiple flaws in the Realtek RTL8170C Wi-Fi module that could be exploited to elevate privileges and hijack wireless communications. Researchers from Israeli IoT security firm Vdoo found multiple vulnerabilities in the Realtek RTL8170C Wi-Fi module that could allow to elevate privileges and hijack wireless communications. The Realtek RTL8710C module is based on a […]

Realtek RTL8170C

Researchers found multiple flaws in the Realtek RTL8170C Wi-Fi module that could be exploited to elevate privileges and hijack wireless communications.

Researchers from Israeli IoT security firm Vdoo found multiple vulnerabilities in the Realtek RTL8170C Wi-Fi module that could allow to elevate privileges and hijack wireless communications.

The Realtek RTL8710C module is based on a Cortex M3 processor, it is used for several applications in many industries, including Agriculture, Automotive, Energy, Gaming, Healthcare, Industrial, Security, and Smart Home.

“Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module.” reads a reported published by Vdoo. To the best of our knowledge, these vulnerabilities are not being exploited in the wild.  Our understanding is that the Realtek team acted promptly to patch these vulnerabilities and push the patched version to the vulnerable products.”

The vulnerabilities impact all embedded and IoT devices that use the Realtek RTL8710C module, they could be exploited only by attackers on the same Wi-Fi network or know the network’s pre-shared key (PSK) used to authenticate wireless clients on local area networks.

Researchers discovered two stack-based buffer overflow vulnerabilities, tracked as CVE-2020-27301 and CVE-2020-27302, in the module’s WPA2 handshake mechanism. The two issues leverage the knowledge of the PSK to obtain remote code execution on WPA2 clients that use the vulnerable Wi-Fi module.

The researchers demonstrated a proof-of-concept (PoC) exploit that sees the attacker masquerading as a legitimate access point, running a modified open-source hostapd, and sending a malicious encrypted group temporal key (GTK) to any client that connects to it via WPA2.

In the video PoC published by the researchers, on the right-hand-side window as “Sending malicious encrypted GTK”

Realtek RTL8170C

“The video demonstrates the stack overflow, which eventually overwrites the return address to the invalid address of 0x95f98179. This is a “random” address because the buffer goes through AES decryption, however – since the attacker has full knowledge of all the encryption parameters (the network’s PSK etc.), precise control of the return address can be achieved – this is left as an exercise for the reader.” continues the report.

The vendor addressed the issue with the release of a version built on 11/01/2021, experts added that updated versions of the ambz2 SDK can be downloaded from Realtek’s website.
The latest version of ambz2 SDK (7.1d) addresses the issues.

In case organizations can’t update the device’s firmware, they can use a strong, private WPA2 passphrase to prevent exploitation of the above flaws.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Realtek RTL8170C Wi-Fi module)

[adrotate banner=”5″]

[adrotate banner=”13″]