Important Bugs Present in Fashionable Realtek Wi-Fi Module for Embedded Units

Main vulnerabilities have been found within the Realtek RTL8195A Wi-Fi module that might have been exploited to achieve root entry and take full management of a tool’s wi-fi communications.

The six flaws have been reported by researchers from Israeli IoT safety agency Vdoo.

The Realtek RTL8195A module is a standalone, low-power-consumption Wi-Fi {hardware} module focused at embedded units utilized in a number of industries resembling agriculture, sensible residence, healthcare, gaming, and automotive sectors.

It additionally makes use of an “Ameba” API, permitting builders to speak with the gadget through Wi-Fi, HTTP, and MQTT, a light-weight messaging protocol for small sensors and cellular units.


Though the problems uncovered by Vdoo have been verified solely on RTL8195A, the researchers stated they prolong to different modules as effectively, together with RTL8711AM, RTL8711AF, and RTL8710AF.

The issues concern a mixture of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module’s WPA2 four-way handshake mechanism throughout authentication.

Chief amongst them is a buffer overflow vulnerability (CVE-2020-9395) that allows an attacker within the proximity of an RTL8195 module to fully take over the module, with out having to know the Wi-Fi community password (or pre-shared key) and no matter whether or not the module is appearing as a Wi-Fi entry level (AP) or shopper.

Two different flaws will be abused to stage a denial of service, whereas one other set of three weaknesses, together with CVE-2020-25854, might permit exploitation of Wi-Fi shopper units and execute arbitrary code.


Thus in one of many potential assault eventualities, an adversary with prior data of the passphrase for the WPA2 Wi-Fi community that the sufferer gadget is linked to can create a malicious AP by sniffing the community’s SSID and Pairwise Transit Key (PTK) — which is used to encrypt visitors between a shopper and the AP — and pressure the goal to connect with the brand new AP and run malicious code.

Realtek, in response, has launched Ameba Arduino 2.0.8 with patches for all of the six vulnerabilities discovered by Vdoo. It is price noting that firmware variations launched after April 21, 2020, already include the mandatory protections to thwart such takeover assaults.

“A problem was found on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF units earlier than 2.0.6,” the corporate stated in a safety bulletin. “A stack-based buffer overflow exists within the shopper code that takes care of WPA2’s 4-way-handshake through a malformed EAPOL-Key packet with a protracted keydata buffer.”

Supply hyperlink