Better detect CVE 2021-35394 Realtek Jungle SDK
WHY RETURN TO A 2021 VULNERABILITY ?
For the past few days, CVE-2021-35394 has been systematically reappearing in cybersecurity news feeds. The cause of this phenomenon can be explained by the publication of an article exposing an intensive use of this vulnerability by malware targeting the IoT since August 2022.
Among these malwares, we will obviously find Mirai, but also two “newcomers” ZeroBot and RedGoBot.
So let’s take a look at this vulnerability that is making so much news.
The attack
This vulnerability concerns the UDPServer component, a diagnostic tool present in the Realtek “Jungle” SDK.
Published in August 2021, it includes buffer overflow vulnerabilities but also a possible command injection. In the details of the vulnerability, the researchers found that the command injection is actually a workaround for a patch applied for a vulnerability detected in 2015.
The UDPServer process can be used differently depending on the manufacturer: as a permanent process, launched on demand during specific actions or not used but present on the system.
used but present on the system.
The exploitation of this vulnerability is trivial.
Indeed, in order to circumvent the problem previously reported, the code only checks the presence of certain strings (such as orf) used as a possible command, concatenates a string, then executes the code via a call to the system() function.
Thus a string of the type orf; ls; # will allow the execution of the ls command.
Detection
To date, there do not appear to be any ET pro rules regarding this vulnerability. However, it has been detected as being used in production mainly by the Mirai botnet (and its variants) from August 2022.
The payloads mainly detected consist in retrieving malware via HTTP URLs.
The lack of a rule is therefore compensated by the detection of the malcore engine.
However, this attack is detectable thanks to the following rules:
alert udp any any -> any 9034 (msg:”GW CURRENT_EVENT Possible exploitation of RCE
CVE-2021-35394 (orf)”; flow:to_server; content:”orf|3B|”; distance: 0; classtype:attempted-admin; metadata: signature_severity Major,created_at 2023_01_26;sid:1000001; rev:1; )
alert udp any any -> any 9034 (msg:”GW CURRENT_EVENT Possible exploitation of RCE CVE-2021-35394 (irf)”; flow:to_server; content:”irf|3B|”; distance: 0;classtype:attempted-admin; metadata: signature_severity Major,created_at 2023_01_26; sid:1000002; rev:1; )
alert udp any any -> any 9034 (msg:”GW CURRENT_EVENT Possible exploitation of RCE CVE-2021-35394 (cat)”; flow:to_server; content:”cat|3B|”; distance: 0;classtype:attempted-admin; metadata: signature_severity Major,created_at 2023_01_26;sid:1000003; rev:1; )
As these rules are provided as a guideline, it is recommended to test them before applying them in production.
Versions concerned
Realtek Jungle SDX version 2.x
- rtl819x-SDX-v3.2.x Series
- rtl819x-SDK-v3.4x Series
- rtl819x-SDK-v3.4T Series
- rtl819x-SDK-v3.4T-CT Series
- rtl819x-eCos-v.1.5.x Series
Author: Purple Team Gatewatcher
Resources