A zero day vulnerability in popular household routers from D-Link and Trendnet could be exploited by attackers to run arbitrary code on devices.
The flaw, which can be exploited without authentication, is present in version 1.3 of Realtek’s SDK, which figures into some brands of routers, according to by HP’s Zero Day Initiative who disclosed the vulnerability last Friday.
“The specific flaw exists within the miniigd SOAP service,” reads the advisory, “The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a service call. An attacker could leverage this vulnerability to execute code with root privileges.”
Ricky “Headless Zeke” Lawshae, a security researcher for DV Labs at HP’s Tipping Point reported the vulnerability (CVE-2014-8361) to HP’s ZDI in August 2014. Lawshae initially identified the vulnerabilities in routers from Trendnet and D-link, but acknowledged on Twitter over the weekend that anything using the miniigd binary from Realtek’s SDK could be vulnerable.
Remember that 0day I mentioned a loooong time ago? The advisory just went up.
— HeadlessZeke (@HeadlessZeke) April 24, 2015
Unauth remote root via the WAN port on a huge number of SOHO routers using the RealTek chipset SDK http://t.co/tVWqJuvNl3
— HeadlessZeke (@HeadlessZeke) April 24, 2015
ZDI reached out to the vendor four times from August to October last year without hearing back and decided to go public with the vulnerability last week.
To mitigate the vulnerability, ZDI is instructing users to restrict Realtek SDK’s interaction to trusted machines. Using either firewalls or whitelisting, users should only grant “clients and servers that have a legitimate procedural relationship” with the SDK the ability to access it.
Router companies have had an extraordinarily tough go of it on the security front this year. D-Link in particular has been forced to patch a handful of vulnerabilities in its home routers that gave attackers root access and enabled DNS hijacking throughout February and March.