Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device’s wireless communications.
The six flaws were reported by researchers from Israeli IoT security firm Vdoo.
The Realtek RTL8195A module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors.
It also makes use of an “Ameba” API, allowing developers to communicate with the device via Wi-Fi, HTTP, and MQTT, a lightweight messaging protocol for small sensors and mobile devices.
Although the issues uncovered by Vdoo were verified only on RTL8195A, the researchers said they extend to other modules as well, including RTL8711AM, RTL8711AF, and RTL8710AF.
The flaws concern a mix of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module’s WPA2 four-way handshake mechanism during authentication.
Chief among them is a buffer overflow vulnerability (CVE-2020-9395) that permits an attacker in the proximity of an RTL8195 module to completely take over the module, without having to know the Wi-Fi network password (or pre-shared key) and regardless of whether the module is acting as a Wi-Fi access point (AP) or client.
Two other flaws can be abused to stage a denial of service, while another set of three weaknesses, including CVE-2020-25854, could allow exploitation of Wi-Fi client devices and execute arbitrary code.
Thus in one of the potential attack scenarios, an adversary with prior knowledge of the passphrase for the WPA2 Wi-Fi network that the victim device is connected to can create a malicious AP by sniffing the network’s SSID and Pairwise Transit Key (PTK) — which is used to encrypt traffic between a client and the AP — and force the target to connect to the new AP and run malicious code.
Realtek, in response, has released Ameba Arduino 2.0.8 with patches for all the six vulnerabilities found by Vdoo. It’s worth noting that firmware versions released after April 21, 2020, already come with the necessary protections to thwart such takeover attacks.
“An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6,” the company said in a security bulletin. “A stack-based buffer overflow exists in the client code that takes care of WPA2’s 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer.”