Vulnerability in Realtek’s Wi-Fi module. Be careful of old firmware

Security vendor Vdoo warned on February 3 (local time) that Realtek’s standalone Wi-Fi module “RTL8195A” was vulnerable.

The company has actually confirmed the vulnerability only in RTL8195A, but it is said that similar vulnerabilities may be hidden in “RTL8711AM”, “RTL8711AF”, “RTL8710AF” and so on. These modules are inexpensive and are used in agriculture, automobiles, energy, gaming, healthcare, industry, security, smart homes and more.

According to Vdoo, the RTL8195A has six vulnerabilities in the WPA2 handshake mechanism, including stack overflow and read out-of-bounds, without the attacker knowing the Wi-Fi password. You can completely hijack a module or abuse it without knowing PSK / PMK.

The most serious of these is CD-1406 (CVE-2020-9395). In RTL8195A, the key is exchanged in the “EAPOL” frame in Message 3 of the WPA2 handshake, and at that time, two functions “ClientEAPOLKeyRecvd” and “EAPOLKeyRecvd” are called.

And both of those two functions call a function called “CheckMIC ()”, but there is a function to copy memory in it, and a value with a size larger than that is in a local buffer with only 512 bytes. It may be copied. This causes a buffer overflow.

This issue will be fixed in the firmware after March 3, 2020, and the other five vulnerabilities will be fixed in the firmware after April 21, 2020. However, the firmware update needs to be done via the “Ameba SDK” provided by Realtek for developers.

If you can’t update, you can mitigate some of the vulnerabilities to some extent by using a strong private WPA2 passphrase.