Critical bugs found in Realtek RTL8195A Wi-Fi module [CVE-2020-9395]

Analysis by the IoT security firm Vdoo, discovered that six major vulnerabilities exist in the Realtek RTL8195A wifi module.  This has been assigned CVE-2020-9395.

Uriya Yavniely, Security Researcher, at Vdoo said that “the most severe issue we discovered is VD-1406, a remote stack overflow that allows an attacker in the proximity of an RTL8195 module to completely take over the module, without knowing the Wi-Fi network password (PSK) and regardless of whether the module is acting as a Wi-Fi access point or client.” 

As part of the module’s Wi-Fi functionality, the module supports the WEP, WPA and WPA2 authentication modes.

Realtek RTL8195A Wi-Fi Module

The RTL8195A is a standalone Wi-Fi hardware module which is being used in many low-power applications:  The module is an extremely compact, low-power Wi-Fi module targeted at embedded devices. It has supported software from major vendors such as ARM, Samsung, Google, Amazon and more. For example, according to AWS it is used in a myriad of industries such as: 

  • Agriculture 
  • Automotive 
  • Energy 
  • Gaming 
  • Healthcare
  • Industrial 
  • Security 
  • Smart Home 

The most severe issue we discovered is VD-1406, a remote stack overflow that allows an attacker in the proximity of an RTL8195 module to completely take over the module, without knowing the Wi-Fi network password (PSK) and regardless of whether the module is acting as a Wi-Fi access point or client. The attack scenarios are detailed in the next section: “Technical Deep-Dive”.

VD-1407 and VD-1411 can also be exploited without knowing the network security key (the PSK, or more accurately the PMK which is derived from it) and by this, a remote code execution or denial of service can be performed on a WPA2 client that uses this Wi-Fi module.

VD-1408, VD-1409 and VD-1410 require the attacker to know the network’s PSK as a prerequisite for the attack and can be abused for obtaining remote code execution on WPA2 clients that use this Wi-Fi module.

Realtek has already published a security bulletin and allocated a CVE on VD-1406.

You can read the full report here – https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: