An exploit code has been deployed to address a critical vulnerability affecting networking devices equipped with Realtek”s RTL819x system on a chip (SoC). CVE-2022-27255 has been assigned to this vulnerability. It is referred to as a zero-click vulnerability because exploitation is silent and requires no interaction with users.
Faraday Security, an Argentine cybersecurity firm, discovered the flaw in Realtek”s SDK for the open source eCos operating system.
CVE-2022-27255 is a stack-based buffer overflow, according to reports. It has a severity score of 9.8 out of 10 and allows remote attackers to execute code without authentication. This is accomplished by sending specially crafted SIP (Session Initiation Protocol) packets containing malicious SDP (Session Description Protocol) data.
Faraday Security researchers created a proof-of-concept (PoC) exploit code for CVE-2022-27255. This code can be run on Nexxt Nebula 300 Plus routers.
How it works
To exploit this vulnerability, threat actors only need the external IP address of a vulnerable device. Devices that used firmware based on the Realtek eCOS SDK (software development kit) prior to March 20, 2022, are vulnerable to attacks. Even if admin interface functionality is protected, vulnerability to attacks is possible. Threat actors can exploit the vulnerability by sending a single UDP packet to an arbitrary port. This vulnerability has been reported to have the potential to affect routers as well as some IoT devices built around Realtek”s SDK.
Johannes Ullrich, Dean of Research at SANS, developed a Snort Rule capable of detecting a PoC exploit. The exploit looks for “INVITE” messages with the string “m=audio” and activates if there are more than 128 bytes (the size of the Realtek SDK”s allocated buffer) and none of them are carriage returns.
Unauthenticated remote attackers could exploit the flaw to:
Execute arbitrary code
Crash networking devices
Intercept network traffic
Modify network traffic route
Users should install a firmware update from the vendor that was released after the month of March after scanning their network system for existing vulnerabilities.
Unsolicited UDP requests should also be blocked by organizations, since attackers can exploit the flaw by sending a single UDP packet to any port
The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.