Attackers can take control of the device, drop viruses, or view communications. Committed brands.
researchers from Faradayan Argentine computer security company, discovered a flaw that affects routers best sellers in Latin America. This is a vulnerability that allows attackers run programs remotely without the user’s permission, have full control of the equipment and deposit virus or intercept communications.
The fault, called CVE-2022-27255is found in what is called the “SDK” of Realtek (company that manufactures semiconductors -electronic components-), this overflows towards other brands such as Everest, D-Link, Nexxt, Nisuta, Tenda, Zyxel and others more.
“The vulnerability that we detected in the Realtek SDK is not only for routers, but also access points and repeaters. It can be used by an attacker to remotely execute code on the router without user intervention and under default settings. This would allow you to have full control over the device,” he explained. Octavio GianatimeFaraday researcher, the Clarion.
From Las Vegas, where Defcon 2022, one of the largest hacker conferences in the world, is taking place, he clarified what the SDK is: “The Source Development Kit it is code that provides basic functionality that a developer can then build on. In this case Realtek, the manufacturer of the chips used by these routers, provides an SDK that has the network functionalities and the web interface of the router. Then the developers add their branding, their design and, if they want, extra features.”
The problem, which had been recognized by Realtek in March, was found by Faraday’s research team, made up of Octavio Galland, Emilio Couto and Javier Aguinaga.
They saw it in Mercado Libre’s best-selling router in Argentina, the Nexxt Nebula 300 plus.
“But then we found out that it was part of the Realtek SDK. This implies that other brands that manufacture routers based on this SDK have high chance of being vulnerable”, explains Gianatiempo.
As routers are used to share the connection between devices on the internal network, it is not a problem that comes from hiring an internet provider, which uses modems to establish the connection.
In general, it will affect those users who have bought a router to improve the distribution of connectivity in the home. Or, on a larger scale, -and perhaps with more serious consequences- in companies.
What to do if your router has the fault
The first thing to say is that the vulnerability is classified as high severity and high impact according to the SANS Institute. Which means that its scope is very large.
The second is that so far they have identified 30 devices from 20 different brands. But, Faraday warns, there is likely to be more.
“Searching Mercadolibre for all of Latin America for the number of sales of affected routers, we found at least 130,000 sales. Using Shodan, we found at least 60 thousand vulnerable devices worldwide with exposed admin panel. But by default the panel is not exposed so the number would be even higher”, explains Gianatiempo.
The only current solution is to download the latest version of the firmware of the router and check directly with the patch notes to see if they cover the CVE-2022-27255 vulnerability.
The problem is that if the router vendor does not apply a patch, there is nothing to do but consider changing it.
At the moment, these safe routers are affected:
- Nexxt Nebula 300 Plus
- Tenda F6 V5.0
- Tenda F9 V2.0
- Tenda AC5 V3.0
- Tent AC6 V5.0
- Tenda AC7 V4.0
- Tenda AC8 V2.0
- Tenda AC10 V3
- Tenda AC11 V2.0
- Tenda N301 V2.0
- Tenda FH456 V4.0
- Zyxel NBG6615 V1.00
- Intelbras RF 301K V1.1.5
DefCon and Argentine participation
Octavio Gianatiempo speaks with Octavio Gallard at Dercon 2022 about the Realtek failure. Photo Faraday
Defcon is, along with Black Hat, one of the largest hacker conventions in the world. It has been held in Las Vegas every year since 1993 and brings together researchers in cybersecurity journalists, lawyers and all kinds of personalities related to the world of hacking.
“To give a talk, you have to apply explaining the technical details of your research and how you are going to present them. Being accepted in one of these two conferences implies that the research is of a good level and of interest to the community from all over the world that attends these events”, explains Gianatiempo.
The technical investigation of Faraday, an open source company that detects computer security flaws along with its solutions, can be read here.