Older D-Link and Other Routers Exposed to Realtek WiFi Vulnerability

An unknown number of broadband routers that make use of the 802.11a/b/g WiFi controllers from Realtek, such as some older models of D-Link and TRENDnet kit, appear to be exposed to a vulnerability that allows remote attackers to execute arbitrary code on related hardware.

The problem stems from a Realtek Software Developers Kit (rtl81xx SDK), which appears to exhibit a vulnerability in its Simple Object Access Protocol (SOAP) on some older 802.11a/b/g WiFi controllers (here). SOAP, which also works alongside HTTP (web) and SMTP (email sending), allows for the exchanging of information in the implementation of web services.

Apparently a flaw with SOAP’s minigd service and related NewInternalClient requests mean that user data isn’t sanitised properly before the execution of a system call and as such a remote attacker could use this to “execute code with root privileges“, which might potentially give them full access to your network and router. But the attacker would probably need to be within range of the WiFi signal in order for this to work.

Unfortunately some routers also inherit the vulnerable code through use of Realtek’s related WiFi controllers and this includes a few D-Link and TRENDnet devices; although there are probably others, but it’s difficult to know who uses the vulnerable controllers and in which specific model(s) of router.

Mitigating the Problem

Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.

Over the past year Realtek are understood to have been repeatedly and privately informed about the security flaw, although they have never once responded and as such the flaw has now been made public.

In fairness the vulnerability currently only appears to affect older devices and so there’s unlikely to be much that Realtek could do about it, not least since most routers manufacturers’ will have long since dropped support for related kit. We suspect that this is probably a fairly low risk issue for UK consumers.