Slashdot Mirror

← Back to Stories (view on slashdot.org)

RealTek SDK Introduces Vulnerability In Some Routers

Posted by Soulskill on from the won't-fix dept.

jones_supa writes: SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend. The remote command-injection vulnerability resides in the "miniigd SOAP service" as implemented by the RealTek SDK. Before someone asks, there is no comprehensive list of manufacturers or models that are affected. Nerds may be able to spot them by using the Metasploit framework to query their router. If the response contains "RealTek/v1.3" or similar, the device is likely vulnerable. For now, the vulnerable routers should be restricted to communicate only with trusted devices. HP's Zero Day Initiative reported the bug confidentially to RealTek in August 2013, but the issue was disclosed 20 months later as no fix has been provided.

35 comments

  1. Sounds like a good policy anyway. by ron_ivi · · Score: 2

    should be restricted to communicate only with trusted devices

    Sounds like a good policy anyway.

  2. I knew it! by Anonymous Coward · · Score: 1

    You can't trust "realtek", they are everywhere yet none of their products are worth a dime.

  3. Er. 201*4*, no? by seebs · · Score: 2, Interesting

    TFA says 2014, not 2013. And thus, not 20 months later.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
    1. Re:Er. 201*4*, no? by Anonymous Coward · · Score: 0

      TFA says 2014, not 2013. And thus, not 20 months later.

      No, both links say 2013.

    2. Re:Er. 201*4*, no? by Anonymous Coward · · Score: 0

      Vendor Contact Timeline:

      08/13/2014 - ZDI wrote to vendor requesting contact and PGP
      09/04/2014 - ZDI wrote to vendor requesting contact and PGP
      09/29/2014 - ZDI wrote to vendor requesting contact and PGP
      10/22/2014 - ZDI wrote to vendor requesting contact and PGP, indicated "final" email attempt and informed of intent to 0-day
      04/24/2015 - Public release of advisory

      and

      Disclosure Timeline
      2014-08-13 - Case submitted to the ZDI
      2015-04-24 - Public release of advisory

      The Security Advisory says 2014. The linked article (and, hence, submitter's summary) reference an incorrect year.

  4. My 2c by Anonymous Coward · · Score: 0

    Whoever trusts router security to some (especially american or chinese) company is a moron. Use open source firmware like openwrt or ddwrt and dont buy routers that don't support some kind of open source firmware. Vote with your wallets god damn it!

    1. Re:My 2c by jonwil · · Score: 1

      And what about when the router you use is an all-in-one provided by your ISP and you dont get a say in which one you use?
      Like cable companies that provide a cable modem/router and dont give you any choice but to use theirs.
      Or things like Verizon FiOS or AT&T U-Verse where they provide the same (modem/router in the one box)

    2. Re:My 2c by UnderCoverPenguin · · Score: 1

      And what about when the router you use is an all-in-one provided by your ISP and you dont get a say in which one you use?
      Like cable companies that provide a cable modem/router and dont give you any choice but to use theirs.
      Or things like Verizon FiOS or AT&T U-Verse where they provide the same (modem/router in the one box)

      So far, in my experience, cloning a PC's mac address to your own router's WLAN port has worked for me and for friends of mine. And since my router (as well as most of the PCs in my house) is running a version of Linux, I can truthfully say I'm running Linux.

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    3. Re:My 2c by HannethCom · · Score: 1

      Shaw Cable in Canada allows you direct access to the configuration of the modem/router/wifi box. Unfortunately, if you turn off the wifi, it doesn't completely turn off the wifi. You have to call Shaw and get them to disable wifi on their side as turning if off in the software doesn't actually shut off the wifi, it just disables people seeing and connecting to it. The modem/router/wifi sometimes cuts out the cable modem part for a couple of minutes a few times a day if the wifi is enabled at all.

      --
      Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
    4. Re:My 2c by gstoddart · · Score: 1

      Put your firewall behind their router?

      Yes, you have to use theirs to connect to the network .. but then you don't trust it and use your own.

      Or, will that not work for you?

      Because there's no way in hell I'd plug my PC directly into a router provided by my ISP. No fucking way. I trust neither them nor their security.

      Hell, I'm not even on the same router/wifi network as my wife, we both have a router connected to the ISPs router.

      It's just a device which gets a DHCP address, isn't it?

      --
      Lost at C:>. Found at C.
    5. Re:My 2c by tlhIngan · · Score: 1

      Shaw Cable in Canada allows you direct access to the configuration of the modem/router/wifi box. Unfortunately, if you turn off the wifi, it doesn't completely turn off the wifi. You have to call Shaw and get them to disable wifi on their side as turning if off in the software doesn't actually shut off the wifi, it just disables people seeing and connecting to it. The modem/router/wifi sometimes cuts out the cable modem part for a couple of minutes a few times a day if the wifi is enabled at all.

      If you're on Shaw,give Customer Service a call and ask them to set your modem to bridge mode. (Shaw disables the option to do it from the web GUI). This turns off the router complete and it just bridges the DOCSIS modem to the LAN ports. If you have the Cisco modem, it's bridged to all 4 "LAN" ports. If you have the SMC or HiTron modem, it's bridged to port 1 only.

      Stick your regular router to that port and you're done. No need to do anything fancy to use your router.

      Note that startup's a bit tricky as the modem will run the routing software for a minute first in case you want to change the settings, before it resets itself and sets up the bridge. Sometimes my router grabs the settings IP (192.168.100.x) and needs to be released/renewed to grab the proper WAN IP.

      Bridged my modem, run a super nice high end router on it and never looked back.

    6. Re:My 2c by viperidaenz · · Score: 1

      It looks like this issue only effects routers running some version of Linux, since miniigd is an application designed to run on Linux.

      Here's a copy of its start-up script
      https://github.com/KrabbyPatty...

  5. Fritz!Box by DrYak · · Score: 1

    And I knew it was a good idea to go for AVM's Fritz!Box-es...

    (regular updates even for old models, no market segmentation where models only differ by firmware, trying to cram as much feature in one model as possible instead of launching 20 subtly different models, etc.)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  6. Just bought a Trendnet router by Anonymous Coward · · Score: 0

    So I wonder if my Trendnet router I just bought a couple months ago is vulnerable? I definitely have seen some strange stuff on router logs of late. But the router is most certainly a POS I would not advise anyone to buy a TEW-813DRU. I mean the darn thing can't even check for firmware updates and I make setting changes and select apply and the changes never set. Very flaky firmware for sure. I can see why its vulnerable.

  7. Or maybe support an Open Source option? by mcrbids · · Score: 2

    You could do that, or you could buy a router pre-configured with OSS from the factory. It's not even expensive at ~ $50.

    I bought a similar model about a year ago, and its large antennas and decent range/speed make it the best router I've yet had. If it's not even more expensive, why not support a vendor that supports (more) secure, Open Source solutions?

    I have no relationship with this vendor other than being a happy customer

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Or maybe support an Open Source option? by Anonymous Coward · · Score: 0

      Nice to know, but how fast are those routers? I'm on the low end of my ISPs speeds and I have 100/100. How would it handle 100Mb/s of 64byte packets?

    2. Re:Or maybe support an Open Source option? by Anonymous+Brave+Guy · · Score: 1

      Interesting idea, but the hardware spec for that device is so lacking in basic facilities that it will probably be a non-starter for a lot of people.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:Or maybe support an Open Source option? by drinkypoo · · Score: 1

      You could do that, or you could buy a router pre-configured with OSS from the factory. It's not even expensive at ~ $50.

      They don't seem to offer a model with GigE. That's an abject failure, today. Anything contemporary and not heinously expensive?

      FWIW, I'm using a C2D PC with 1xGigE, and a QFE card for routing and some ethernet ports, and 5-port switches on both the GigE and 100Mbps segments, then a Mikrotik Routerboard (411, IIRC) running OpenWRT to handle the WiFi. The total cost is somewhere around $120, but it does dramatically more...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Or maybe support an Open Source option? by mcrbids · · Score: 1

      By spec, wireless N, up to 300 Mbit.

      In practice, I've gone through 4 different routers, and so far, this one has come out on top. It has two decent antennas which may be some of that difference, to be fair.

      My house was (over)built in the 1970s with 3/4" sheet rock, making each room almost like a Faraday cage - getting wifi signal *at all* from two rooms over is spotty at best. In my bedroom (2 doors away from the hotspot) I see about 15-20 Mbits, but in the same room I see up to ~ 40 Mbits for torrents. (50 Mbit connection, shared)

      Oh, and it being open source, I'm gonna bank on its code quality being a bit better...

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    5. Re:Or maybe support an Open Source option? by Anonymous Coward · · Score: 0

      why not support a vendor that supports ... Open Source solutions?

      Because open source software sucks balls?

    6. Re:Or maybe support an Open Source option? by amalcolm · · Score: 2

      why not support a vendor that supports ... Open Source solutions?

      Because open source software sucks balls?

      Isn't that a feature ? :)

      --
      Time for bed, said Zebedee - boing
  8. Bridged mode by Anonymous Coward · · Score: 0

    So, are any of these router vulnerabilities relevant if I just put my xDSL modem/router into the bridged mode, and use another, patched router behind it if necessary?

  9. RealTek is capitalized? by Anonymous Coward · · Score: 0

    That's The First Time I've Seen That Happen To RealTek. Or Is It Just In The String??????? Help Jaden Smith Out

  10. What does "SDK" mean to them? by Anonymous Coward · · Score: 0

    Maybe they're not using SDK to mean the same thing we might have in mind

    Security-Disabling Kit

  11. Need to know more by Anonymous Coward · · Score: 0

    The RTL8xxx chipset is also used in adapter cards. Does this vulnerability need the SDK specifically, and wouldn't a flash of dd=wrt to take care of the problem?

  12. Why are they allowed to get away with this? by Required+Snark · · Score: 1
    Suppose you bought a kitchen appliance and under a particular set of conditions it fried all the wiring in you house, and perhaps caused it to burn down. There would be a recall, and a lot of civil litigation. Why are electronic equipment manufacturers allowed to get away with this kind of crap?

    It's even worse, because unlike a lot of other gear, they can actually fix the problem in the field. They don't have to do a physical recall like car companies do. What they need is remote update features.

    I think it goes back to Windows. Gates and friends set the standard that computers would break, and that the users had no recourse. If it crashed and you lost something important you were just out of luck. No guarantee on anything.

    Now that everyone has accepted that manufacturers have no responsibility, we are completely stuck with infrastructure that makes it impossible to have secure online transactions. Users are deliberately kept in the dark and known bugs remain unfixed.

    Until there is some change in the law that places liability where it belongs, on the manufacturers, nothing will change. Given the current political climate there is no chance of change. We're just screwed.

    --
    Why is Snark Required?
    1. Re:Why are they allowed to get away with this? by Anonymous Coward · · Score: 0

      and open source software will be held to this same standard, of course, when used in commercial products. All the way down to placing liability "where it belongs". Please correct me, you were categorical in your post.

    2. Re:Why are they allowed to get away with this? by MechaStreisand · · Score: 2

      Liability belongs with the ones making a profit from it, Anonymous Idiot.

      --
      Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
    3. Re:Why are they allowed to get away with this? by Anonymous Coward · · Score: 0

      Doubtful if we're talking about FOSS.

    4. Re:Why are they allowed to get away with this? by amalcolm · · Score: 1

      Why? If a manufacutere decides to use ANY software in his product, it's up to him/her to A: test the software in the configuration he installs it in, on his hardware B: fix bugs and provide patches/updates This is irregardless of the provenance of the software. If its FOSS, there is at least the possiblity that bug fixes and updates will be provided for him/her by trhe community that wrote/supprts it, saving time and effort. As was stated above, when you start making a profit from software, however it was sourced, the manufactureere should take responsibility for it, throughout its lifetime.

      --
      Time for bed, said Zebedee - boing
    5. Re:Why are they allowed to get away with this? by Anonymous Coward · · Score: 0

      >Why are electronic equipment manufacturers allowed to get away with this kind of crap?

      Because this doesn't burn your house down. A more appropriate and real-life example would be suppose you had a stove with a controller that, when cooking something that produces steam, slowly corrodes. The manufacturer notices this and under all their tests, the only result is the stove stops working. During the warranty period the manufacturer replaces the circuit board with an epoxy potted one (or maybe another unprotected one that'll just rot in a couple of years anyways, it's a crap shoot). If it happens outside the warranty period (which, based on the manufacturer's tests, is most of the time) they offer the part for you (or your hired professional) to replace for 1/2 the price of the stove new.

      While people get upset with such a shitty manufacturer, they get away with that crap because idiots buy poorly built but expensive looking junk. The rest of us search for well built items, which, nowadays, are actually the cheapest ones you can buy (if you can find them) because nobody wants a stove with no display, no self-cleaning function, and electric ring elements. We don't ask for the law to be changed because, forget it, why not just buy the right one in the first place!

      Nobody will get physically injured from a router vulnerability except in very odd edge cases, all of which could equally happen with the stove (stove is boiling water to keep the room humid for someone with asthma). And I bet the router, just like the stove, says not to use it for medical purposes.

    6. Re:Why are they allowed to get away with this? by viperidaenz · · Score: 1

      But it as a consumer and leverage your consumer rights you are granted in by your local laws. They're usually something along the lines of fit for purpose and of acceptable quality. Retails usually must provide remedy, replacement or refunds.

  13. Not a bug. Won't fix. by Anonymous Coward · · Score: 1

    This is our hardware. We made it, we're going to have a backdoor into it.

  14. Read for joke by Anonymous Coward · · Score: 0

    Sounds like software defined networking to me :)

  15. Crab card = crap card by Anonymous Coward · · Score: 0

    I'm a Linux user and the Bluetooth portion of the card is a null device and I have to restart the wireless network several times every hour.
    If I replace the card with something that works, like Intel, it will not boot. Thanks Lenovo! Hard coding RealTek network card to the BIOS made me hate everything Lenovo.