Realtek SDK Vulnerability Exposes Routers to Simple Exploit
A vulnerability in the SIP application layer gateway (ALG) included in Realtek's software development kit for its RTL819xD system on a chip devices exposes routers to a simple stack based buffer overflow. Patches are available from Realtek but have not yet been included by all vendors in updated firmware images. This vulnerability is exploitable via a single UDP packet sent to the router even if the web based administrative interface is not exposed.
This was probably the most important issue revealed at DefCon/BlackHat this year, and so far it has not been reported on much. It highlights a supply chain issue that organizations have a hard time handling. Affected devices are not typically found in enterprises, but in homes and small businesses. I do not know of an enterprise able of managing or even inventorying routers employees use when working from home, and users have a notoriously hard time finding and applying firmware upgrades to routers.
The vulnerable code is part of the networking stack, so attackers just need to send a specially crafted SIP packet to achieve device takeover. You can mitigate the risk by blocking UDP packets at your perimeter. Use caution to not block any critical services actively using UDP. VoIP and gaming services are the most likely affected by this approach; make sure that your VoIP provider is on the allow list. Keep an eye out for updates from your vendor, particularly if they reference CVE-2022-27255 or Realtek SDK update.
SANS Internet Storm Center info and guidance at https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940
Read more in
Security Week: Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks
DefCon: Octavio Gianatiempo & Octavio Galland - Exploring the hidden attack surface of OEM IoT ...
IT News: Realtek SDK exposes systems to SIP bug
GitHub: CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow